# Flog Txt Version 1 # Analyzer Version: 2.3.2 # Analyzer Build Date: Jan 8 2019 16:19:15 # Log Creation Date: 19.01.2019 16:50:01.476 Process: id = "1" image_name = "crypt.exe" filename = "c:\\users\\ciihmnxmn6ps\\desktop\\crypt.exe" page_root = "0x2a659000" os_pid = "0xfd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CRYPT.EXE\" " cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8 start_va = 0x400000 end_va = 0x407fff entry_point = 0x400000 region_type = mapped_file name = "crypt.exe" filename = "\\Users\\CIiHmnxMn6Ps\\Desktop\\CRYPT.EXE" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\crypt.exe") Region: id = 9 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 12 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 13 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15 start_va = 0x7fff0000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 157 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 158 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 159 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 160 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 161 start_va = 0x580000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 162 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 163 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 164 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 165 start_va = 0x1d0000 end_va = 0x28dfff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 166 start_va = 0x746b0000 end_va = 0x74740fff entry_point = 0x746b0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 167 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 168 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 169 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 170 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 171 start_va = 0x745f0000 end_va = 0x74606fff entry_point = 0x745f0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 172 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 173 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 174 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 175 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 176 start_va = 0x74ab0000 end_va = 0x74abbfff entry_point = 0x74ab0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 177 start_va = 0x74da0000 end_va = 0x74de3fff entry_point = 0x74da0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 178 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 179 start_va = 0x75180000 end_va = 0x7518efff entry_point = 0x75180000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 180 start_va = 0x75310000 end_va = 0x766cefff entry_point = 0x75310000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 181 start_va = 0x76790000 end_va = 0x76c6cfff entry_point = 0x76790000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 182 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 183 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 184 start_va = 0x77260000 end_va = 0x772a3fff entry_point = 0x77260000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 185 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 186 start_va = 0x77300000 end_va = 0x7738cfff entry_point = 0x77300000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 187 start_va = 0x77390000 end_va = 0x77549fff entry_point = 0x77390000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 188 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 189 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 190 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 191 start_va = 0x680000 end_va = 0x807fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 192 start_va = 0x74df0000 end_va = 0x74f0ffff entry_point = 0x74df0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 193 start_va = 0x74f10000 end_va = 0x74f3afff entry_point = 0x74f10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 194 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 195 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 196 start_va = 0x810000 end_va = 0x990fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 197 start_va = 0x9a0000 end_va = 0x1d9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 198 start_va = 0x3e0000 end_va = 0x3e1fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 199 start_va = 0x3f0000 end_va = 0x3f1fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 200 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 201 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 202 start_va = 0x745d0000 end_va = 0x745e2fff entry_point = 0x745d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 203 start_va = 0x745b0000 end_va = 0x745cafff entry_point = 0x745b0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 204 start_va = 0x74580000 end_va = 0x745aefff entry_point = 0x74580000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 205 start_va = 0x410000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 206 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 207 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 208 start_va = 0x1da0000 end_va = 0x20d6fff entry_point = 0x1da0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 209 start_va = 0x74550000 end_va = 0x74577fff entry_point = 0x74550000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 210 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 211 start_va = 0x20e0000 end_va = 0x21dffff entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 212 start_va = 0x3e0000 end_va = 0x3f5fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 213 start_va = 0x560000 end_va = 0x567fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 214 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 215 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 216 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 217 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 218 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 219 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 220 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 221 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 222 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 223 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 224 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 225 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 226 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 227 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 228 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 229 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 230 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 231 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 232 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 233 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 234 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 235 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 236 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 237 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 238 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 239 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 240 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 241 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 242 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 243 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 244 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 245 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 246 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 247 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 248 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 249 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 250 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 251 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 252 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 253 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 254 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 255 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 256 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 257 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 258 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 259 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 260 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 261 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 262 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 263 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 264 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 265 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 266 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 267 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 268 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 269 start_va = 0x3e0000 end_va = 0x3e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 270 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 271 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 272 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 273 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 274 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 275 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 276 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 277 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 278 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 279 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 280 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 281 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 282 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 283 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 284 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 285 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 286 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 287 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 288 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 289 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 290 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 291 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 292 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 293 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 294 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 295 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 296 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 297 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 298 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 299 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 300 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 301 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 302 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 303 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 304 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 305 start_va = 0x3e0000 end_va = 0x3e9fff entry_point = 0x3e0000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 306 start_va = 0x21e0000 end_va = 0x2354fff entry_point = 0x21e0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 307 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 308 start_va = 0x74630000 end_va = 0x746a4fff entry_point = 0x74630000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 309 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 310 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 311 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 312 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 313 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 314 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 315 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 316 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 317 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 318 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 319 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 320 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 321 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 322 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 323 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 324 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 325 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 326 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 327 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 328 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 329 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 330 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 331 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 332 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 333 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 334 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 335 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 336 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 337 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 338 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 339 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 340 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 341 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 342 start_va = 0x3e0000 end_va = 0x3e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 343 start_va = 0x21e0000 end_va = 0x233ffff entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 344 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 345 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 346 start_va = 0x77170000 end_va = 0x77259fff entry_point = 0x77170000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 347 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 348 start_va = 0x560000 end_va = 0x564fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 349 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 350 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 351 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 352 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 353 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 354 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 355 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 356 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 357 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 358 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 359 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 360 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 361 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 362 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 363 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 364 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 365 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 366 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 367 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 368 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 369 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 370 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 371 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 372 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 373 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 374 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 375 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 376 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 377 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 378 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 379 start_va = 0x21e0000 end_va = 0x2270fff entry_point = 0x21e0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 380 start_va = 0x2330000 end_va = 0x233ffff entry_point = 0x0 region_type = private name = "private_0x0000000002330000" filename = "" Region: id = 381 start_va = 0x3f0000 end_va = 0x3f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 382 start_va = 0x74400000 end_va = 0x74541fff entry_point = 0x74400000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 383 start_va = 0x770d0000 end_va = 0x77161fff entry_point = 0x770d0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 384 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 385 start_va = 0x76fe0000 end_va = 0x77061fff entry_point = 0x76fe0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 386 start_va = 0x560000 end_va = 0x560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 387 start_va = 0x570000 end_va = 0x573fff entry_point = 0x570000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 388 start_va = 0x21e0000 end_va = 0x2222fff entry_point = 0x21e0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db") Region: id = 389 start_va = 0x2230000 end_va = 0x2233fff entry_point = 0x2230000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 390 start_va = 0x2240000 end_va = 0x22cafff entry_point = 0x2240000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 391 start_va = 0x22d0000 end_va = 0x22e0fff entry_point = 0x22d0000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 392 start_va = 0x22f0000 end_va = 0x22f3fff entry_point = 0x22f0000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 393 start_va = 0x2300000 end_va = 0x230ffff entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 394 start_va = 0x2310000 end_va = 0x2314fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002310000" filename = "" Region: id = 395 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 396 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 397 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 398 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 399 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 400 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 401 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 402 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 403 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 404 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 405 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 406 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 407 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 408 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 409 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 410 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 411 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 412 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 413 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 414 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 415 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 416 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 417 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 418 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 419 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 420 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 421 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 422 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 423 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 424 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 425 start_va = 0x2300000 end_va = 0x2304fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 426 start_va = 0x2300000 end_va = 0x2312fff entry_point = 0x2300000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001c.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db") Region: id = 427 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002320000" filename = "" Region: id = 428 start_va = 0x2340000 end_va = 0x237ffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 429 start_va = 0x2380000 end_va = 0x247ffff entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 430 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 431 start_va = 0x77080000 end_va = 0x770b5fff entry_point = 0x77080000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 432 start_va = 0x2480000 end_va = 0x24bffff entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 433 start_va = 0x24c0000 end_va = 0x25bffff entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 434 start_va = 0x7feaa000 end_va = 0x7feacfff entry_point = 0x0 region_type = private name = "private_0x000000007feaa000" filename = "" Region: id = 435 start_va = 0x25c0000 end_va = 0x25fffff entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 436 start_va = 0x2600000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 437 start_va = 0x2700000 end_va = 0x273ffff entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 438 start_va = 0x2740000 end_va = 0x283ffff entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 439 start_va = 0x2840000 end_va = 0x287ffff entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 440 start_va = 0x2880000 end_va = 0x297ffff entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 441 start_va = 0x7fea1000 end_va = 0x7fea3fff entry_point = 0x0 region_type = private name = "private_0x000000007fea1000" filename = "" Region: id = 442 start_va = 0x7fea4000 end_va = 0x7fea6fff entry_point = 0x0 region_type = private name = "private_0x000000007fea4000" filename = "" Region: id = 443 start_va = 0x7fea7000 end_va = 0x7fea9fff entry_point = 0x0 region_type = private name = "private_0x000000007fea7000" filename = "" Region: id = 444 start_va = 0x742a0000 end_va = 0x743fffff entry_point = 0x742a0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 445 start_va = 0x22f0000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 446 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 447 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 448 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 449 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 450 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 451 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 452 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 453 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 454 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 455 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 456 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 457 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 458 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 459 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 460 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 461 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 462 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 463 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 464 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 465 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 466 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 467 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 468 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 469 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 470 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 471 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 472 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 473 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 474 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 475 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 476 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 477 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 478 start_va = 0x73fd0000 end_va = 0x74290fff entry_point = 0x73fd0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 479 start_va = 0x22f0000 end_va = 0x22f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 480 start_va = 0x2980000 end_va = 0x298ffff entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 481 start_va = 0x2990000 end_va = 0x2994fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002990000" filename = "" Region: id = 482 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 483 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 484 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 485 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 486 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 487 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 488 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 489 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 490 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 491 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 492 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 493 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 494 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 495 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 496 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 497 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 498 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 499 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 500 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 501 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 502 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 503 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 504 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 505 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 506 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 507 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 508 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 509 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 510 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 511 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 512 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 513 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 534 start_va = 0x2980000 end_va = 0x298ffff entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 535 start_va = 0x2990000 end_va = 0x2994fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002990000" filename = "" Region: id = 536 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 537 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 538 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 539 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 540 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 541 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 542 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 543 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 544 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 545 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 546 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 547 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 548 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 549 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 550 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 551 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 552 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 553 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 554 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 555 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 556 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 557 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 558 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 559 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 560 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 561 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 562 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 563 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 564 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 565 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 566 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 567 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 568 start_va = 0x2980000 end_va = 0x2984fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 569 start_va = 0x2980000 end_va = 0x29bffff entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 570 start_va = 0x29c0000 end_va = 0x2abffff entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 571 start_va = 0x7fe9e000 end_va = 0x7fea0fff entry_point = 0x0 region_type = private name = "private_0x000000007fe9e000" filename = "" Region: id = 576 start_va = 0x2ac0000 end_va = 0x2afffff entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 577 start_va = 0x2b00000 end_va = 0x2bfffff entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 578 start_va = 0x7fe9b000 end_va = 0x7fe9dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe9b000" filename = "" Region: id = 579 start_va = 0x2c00000 end_va = 0x2c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 580 start_va = 0x2c40000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 581 start_va = 0x7fe98000 end_va = 0x7fe9afff entry_point = 0x0 region_type = private name = "private_0x000000007fe98000" filename = "" Region: id = 582 start_va = 0x2d40000 end_va = 0x2d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 583 start_va = 0x2d80000 end_va = 0x2e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 584 start_va = 0x7fe95000 end_va = 0x7fe97fff entry_point = 0x0 region_type = private name = "private_0x000000007fe95000" filename = "" Region: id = 596 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x3f0000 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mpr.dll.mui") Region: id = 597 start_va = 0x2e80000 end_va = 0x2ebffff entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 598 start_va = 0x2ec0000 end_va = 0x2fbffff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 599 start_va = 0x7fe92000 end_va = 0x7fe94fff entry_point = 0x0 region_type = private name = "private_0x000000007fe92000" filename = "" Region: id = 600 start_va = 0x2fc0000 end_va = 0x2ffffff entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 601 start_va = 0x3000000 end_va = 0x30fffff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 602 start_va = 0x7fe8f000 end_va = 0x7fe91fff entry_point = 0x0 region_type = private name = "private_0x000000007fe8f000" filename = "" Region: id = 603 start_va = 0x2c00000 end_va = 0x2cfffff entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 604 start_va = 0x22f0000 end_va = 0x22fffff entry_point = 0x22f0000 region_type = mapped_file name = "bootstat.dat id-br3n0g72wub8cejt.lyas" filename = "\\Boot\\BOOTSTAT.DAT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\bootstat.dat id-br3n0g72wub8cejt.lyas") Region: id = 605 start_va = 0x2d00000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 606 start_va = 0x3100000 end_va = 0x31fffff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 607 start_va = 0x7fe98000 end_va = 0x7fe9afff entry_point = 0x0 region_type = private name = "private_0x000000007fe98000" filename = "" Region: id = 608 start_va = 0x3200000 end_va = 0x323ffff entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 609 start_va = 0x3240000 end_va = 0x333ffff entry_point = 0x0 region_type = private name = "private_0x0000000003240000" filename = "" Region: id = 610 start_va = 0x7fe8c000 end_va = 0x7fe8efff entry_point = 0x0 region_type = private name = "private_0x000000007fe8c000" filename = "" Region: id = 611 start_va = 0x3340000 end_va = 0x337ffff entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 612 start_va = 0x3380000 end_va = 0x347ffff entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 613 start_va = 0x7fe89000 end_va = 0x7fe8bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe89000" filename = "" Region: id = 614 start_va = 0x3480000 end_va = 0x34bffff entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 615 start_va = 0x34c0000 end_va = 0x35bffff entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 616 start_va = 0x7fe86000 end_va = 0x7fe88fff entry_point = 0x0 region_type = private name = "private_0x000000007fe86000" filename = "" Region: id = 617 start_va = 0x35c0000 end_va = 0x35fffff entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 618 start_va = 0x3600000 end_va = 0x36fffff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 619 start_va = 0x7fe83000 end_va = 0x7fe85fff entry_point = 0x0 region_type = private name = "private_0x000000007fe83000" filename = "" Region: id = 620 start_va = 0x3700000 end_va = 0x373ffff entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 621 start_va = 0x3740000 end_va = 0x383ffff entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 622 start_va = 0x7fe80000 end_va = 0x7fe82fff entry_point = 0x0 region_type = private name = "private_0x000000007fe80000" filename = "" Region: id = 623 start_va = 0x3840000 end_va = 0x387ffff entry_point = 0x0 region_type = private name = "private_0x0000000003840000" filename = "" Region: id = 624 start_va = 0x3880000 end_va = 0x397ffff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 625 start_va = 0x7fe7d000 end_va = 0x7fe7ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe7d000" filename = "" Region: id = 626 start_va = 0x3980000 end_va = 0x39bffff entry_point = 0x0 region_type = private name = "private_0x0000000003980000" filename = "" Region: id = 627 start_va = 0x39c0000 end_va = 0x3abffff entry_point = 0x0 region_type = private name = "private_0x00000000039c0000" filename = "" Region: id = 628 start_va = 0x7fe7a000 end_va = 0x7fe7cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe7a000" filename = "" Region: id = 629 start_va = 0x3ac0000 end_va = 0x3afffff entry_point = 0x0 region_type = private name = "private_0x0000000003ac0000" filename = "" Region: id = 630 start_va = 0x3b00000 end_va = 0x3bfffff entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 631 start_va = 0x7fe77000 end_va = 0x7fe79fff entry_point = 0x0 region_type = private name = "private_0x000000007fe77000" filename = "" Region: id = 632 start_va = 0x3c00000 end_va = 0x3c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 633 start_va = 0x3c40000 end_va = 0x3d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c40000" filename = "" Region: id = 634 start_va = 0x3d40000 end_va = 0x3f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003d40000" filename = "" Region: id = 635 start_va = 0x7fe74000 end_va = 0x7fe76fff entry_point = 0x0 region_type = private name = "private_0x000000007fe74000" filename = "" Region: id = 636 start_va = 0x3f40000 end_va = 0x3f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f40000" filename = "" Region: id = 637 start_va = 0x3f80000 end_va = 0x407ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f80000" filename = "" Region: id = 638 start_va = 0x7fe71000 end_va = 0x7fe73fff entry_point = 0x0 region_type = private name = "private_0x000000007fe71000" filename = "" Region: id = 639 start_va = 0x4080000 end_va = 0x40bffff entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 640 start_va = 0x40c0000 end_va = 0x41bffff entry_point = 0x0 region_type = private name = "private_0x00000000040c0000" filename = "" Region: id = 641 start_va = 0x7fe6e000 end_va = 0x7fe70fff entry_point = 0x0 region_type = private name = "private_0x000000007fe6e000" filename = "" Region: id = 642 start_va = 0x41c0000 end_va = 0x41fffff entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 643 start_va = 0x4200000 end_va = 0x42fffff entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 644 start_va = 0x7fe6b000 end_va = 0x7fe6dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe6b000" filename = "" Region: id = 645 start_va = 0x4300000 end_va = 0x433ffff entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 646 start_va = 0x4340000 end_va = 0x443ffff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 647 start_va = 0x7fe68000 end_va = 0x7fe6afff entry_point = 0x0 region_type = private name = "private_0x000000007fe68000" filename = "" Region: id = 648 start_va = 0x4440000 end_va = 0x447ffff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 649 start_va = 0x4480000 end_va = 0x457ffff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 650 start_va = 0x7fe65000 end_va = 0x7fe67fff entry_point = 0x0 region_type = private name = "private_0x000000007fe65000" filename = "" Region: id = 651 start_va = 0x4580000 end_va = 0x45bffff entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 652 start_va = 0x45c0000 end_va = 0x46bffff entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 653 start_va = 0x7fe62000 end_va = 0x7fe64fff entry_point = 0x0 region_type = private name = "private_0x000000007fe62000" filename = "" Region: id = 654 start_va = 0x22f0000 end_va = 0x22f0fff entry_point = 0x22f0000 region_type = mapped_file name = "desktop.ini" filename = "\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") Region: id = 655 start_va = 0x46c0000 end_va = 0x46c1fff entry_point = 0x46c0000 region_type = mapped_file name = "bootsect.bak id-br3n0g72wub8cejt.lyas" filename = "\\BOOTSECT.BAK id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\bootsect.bak id-br3n0g72wub8cejt.lyas") Region: id = 656 start_va = 0x46d0000 end_va = 0x46d0fff entry_point = 0x46d0000 region_type = mapped_file name = "desktop.ini id-br3n0g72wub8cejt.lyas" filename = "\\$Recycle.Bin\\S-1-5-18\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini id-br3n0g72wub8cejt.lyas") Region: id = 657 start_va = 0x46d0000 end_va = 0x470ffff entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 658 start_va = 0x4710000 end_va = 0x480ffff entry_point = 0x0 region_type = private name = "private_0x0000000004710000" filename = "" Region: id = 659 start_va = 0x4810000 end_va = 0x484ffff entry_point = 0x0 region_type = private name = "private_0x0000000004810000" filename = "" Region: id = 660 start_va = 0x4850000 end_va = 0x494ffff entry_point = 0x0 region_type = private name = "private_0x0000000004850000" filename = "" Region: id = 661 start_va = 0x7fe5c000 end_va = 0x7fe5efff entry_point = 0x0 region_type = private name = "private_0x000000007fe5c000" filename = "" Region: id = 662 start_va = 0x7fe5f000 end_va = 0x7fe61fff entry_point = 0x0 region_type = private name = "private_0x000000007fe5f000" filename = "" Region: id = 663 start_va = 0x4950000 end_va = 0x498ffff entry_point = 0x0 region_type = private name = "private_0x0000000004950000" filename = "" Region: id = 664 start_va = 0x4990000 end_va = 0x4a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 665 start_va = 0x7fe59000 end_va = 0x7fe5bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe59000" filename = "" Region: id = 666 start_va = 0x4a90000 end_va = 0x4acffff entry_point = 0x0 region_type = private name = "private_0x0000000004a90000" filename = "" Region: id = 667 start_va = 0x4ad0000 end_va = 0x4bcffff entry_point = 0x0 region_type = private name = "private_0x0000000004ad0000" filename = "" Region: id = 668 start_va = 0x7fe56000 end_va = 0x7fe58fff entry_point = 0x0 region_type = private name = "private_0x000000007fe56000" filename = "" Region: id = 669 start_va = 0x4bd0000 end_va = 0x4c0ffff entry_point = 0x0 region_type = private name = "private_0x0000000004bd0000" filename = "" Region: id = 670 start_va = 0x4c10000 end_va = 0x4d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000004c10000" filename = "" Region: id = 671 start_va = 0x7fe53000 end_va = 0x7fe55fff entry_point = 0x0 region_type = private name = "private_0x000000007fe53000" filename = "" Region: id = 672 start_va = 0x4d10000 end_va = 0x4d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d10000" filename = "" Region: id = 673 start_va = 0x4d50000 end_va = 0x4e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d50000" filename = "" Region: id = 674 start_va = 0x7fe50000 end_va = 0x7fe52fff entry_point = 0x0 region_type = private name = "private_0x000000007fe50000" filename = "" Region: id = 675 start_va = 0x4e50000 end_va = 0x4e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e50000" filename = "" Region: id = 676 start_va = 0x4e90000 end_va = 0x4f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e90000" filename = "" Region: id = 677 start_va = 0x7fe4d000 end_va = 0x7fe4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe4d000" filename = "" Region: id = 678 start_va = 0x4f90000 end_va = 0x4fcffff entry_point = 0x0 region_type = private name = "private_0x0000000004f90000" filename = "" Region: id = 679 start_va = 0x4fd0000 end_va = 0x50cffff entry_point = 0x0 region_type = private name = "private_0x0000000004fd0000" filename = "" Region: id = 680 start_va = 0x7fe4a000 end_va = 0x7fe4cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe4a000" filename = "" Region: id = 681 start_va = 0x50d0000 end_va = 0x510ffff entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 682 start_va = 0x5110000 end_va = 0x520ffff entry_point = 0x0 region_type = private name = "private_0x0000000005110000" filename = "" Region: id = 683 start_va = 0x7fe47000 end_va = 0x7fe49fff entry_point = 0x0 region_type = private name = "private_0x000000007fe47000" filename = "" Region: id = 684 start_va = 0x5210000 end_va = 0x524ffff entry_point = 0x0 region_type = private name = "private_0x0000000005210000" filename = "" Region: id = 685 start_va = 0x5250000 end_va = 0x534ffff entry_point = 0x0 region_type = private name = "private_0x0000000005250000" filename = "" Region: id = 686 start_va = 0x7fe44000 end_va = 0x7fe46fff entry_point = 0x0 region_type = private name = "private_0x000000007fe44000" filename = "" Region: id = 687 start_va = 0x5350000 end_va = 0x538ffff entry_point = 0x0 region_type = private name = "private_0x0000000005350000" filename = "" Region: id = 688 start_va = 0x5390000 end_va = 0x548ffff entry_point = 0x0 region_type = private name = "private_0x0000000005390000" filename = "" Region: id = 689 start_va = 0x7fe41000 end_va = 0x7fe43fff entry_point = 0x0 region_type = private name = "private_0x000000007fe41000" filename = "" Region: id = 690 start_va = 0x5490000 end_va = 0x54cffff entry_point = 0x0 region_type = private name = "private_0x0000000005490000" filename = "" Region: id = 691 start_va = 0x54d0000 end_va = 0x55cffff entry_point = 0x0 region_type = private name = "private_0x00000000054d0000" filename = "" Region: id = 692 start_va = 0x7fe3e000 end_va = 0x7fe40fff entry_point = 0x0 region_type = private name = "private_0x000000007fe3e000" filename = "" Region: id = 693 start_va = 0x55d0000 end_va = 0x560ffff entry_point = 0x0 region_type = private name = "private_0x00000000055d0000" filename = "" Region: id = 694 start_va = 0x5610000 end_va = 0x570ffff entry_point = 0x0 region_type = private name = "private_0x0000000005610000" filename = "" Region: id = 695 start_va = 0x7fe3b000 end_va = 0x7fe3dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe3b000" filename = "" Region: id = 696 start_va = 0x5710000 end_va = 0x574ffff entry_point = 0x0 region_type = private name = "private_0x0000000005710000" filename = "" Region: id = 697 start_va = 0x5750000 end_va = 0x584ffff entry_point = 0x0 region_type = private name = "private_0x0000000005750000" filename = "" Region: id = 698 start_va = 0x7fe38000 end_va = 0x7fe3afff entry_point = 0x0 region_type = private name = "private_0x000000007fe38000" filename = "" Region: id = 699 start_va = 0x5850000 end_va = 0x588ffff entry_point = 0x0 region_type = private name = "private_0x0000000005850000" filename = "" Region: id = 700 start_va = 0x5890000 end_va = 0x598ffff entry_point = 0x0 region_type = private name = "private_0x0000000005890000" filename = "" Region: id = 701 start_va = 0x5990000 end_va = 0x5d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000005990000" filename = "" Region: id = 702 start_va = 0x7fe35000 end_va = 0x7fe37fff entry_point = 0x0 region_type = private name = "private_0x000000007fe35000" filename = "" Region: id = 703 start_va = 0x5d90000 end_va = 0x5dcffff entry_point = 0x0 region_type = private name = "private_0x0000000005d90000" filename = "" Region: id = 704 start_va = 0x5dd0000 end_va = 0x5ecffff entry_point = 0x0 region_type = private name = "private_0x0000000005dd0000" filename = "" Region: id = 705 start_va = 0x7fe32000 end_va = 0x7fe34fff entry_point = 0x0 region_type = private name = "private_0x000000007fe32000" filename = "" Region: id = 706 start_va = 0x5ed0000 end_va = 0x5f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000005ed0000" filename = "" Region: id = 707 start_va = 0x5f10000 end_va = 0x600ffff entry_point = 0x0 region_type = private name = "private_0x0000000005f10000" filename = "" Region: id = 708 start_va = 0x7fe2f000 end_va = 0x7fe31fff entry_point = 0x0 region_type = private name = "private_0x000000007fe2f000" filename = "" Region: id = 709 start_va = 0x6010000 end_va = 0x604ffff entry_point = 0x0 region_type = private name = "private_0x0000000006010000" filename = "" Region: id = 710 start_va = 0x6050000 end_va = 0x614ffff entry_point = 0x0 region_type = private name = "private_0x0000000006050000" filename = "" Region: id = 711 start_va = 0x7fe2c000 end_va = 0x7fe2efff entry_point = 0x0 region_type = private name = "private_0x000000007fe2c000" filename = "" Region: id = 712 start_va = 0x6150000 end_va = 0x618ffff entry_point = 0x0 region_type = private name = "private_0x0000000006150000" filename = "" Region: id = 713 start_va = 0x6190000 end_va = 0x628ffff entry_point = 0x0 region_type = private name = "private_0x0000000006190000" filename = "" Region: id = 714 start_va = 0x7fe29000 end_va = 0x7fe2bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe29000" filename = "" Region: id = 715 start_va = 0x6290000 end_va = 0x62cffff entry_point = 0x0 region_type = private name = "private_0x0000000006290000" filename = "" Region: id = 716 start_va = 0x62d0000 end_va = 0x63cffff entry_point = 0x0 region_type = private name = "private_0x00000000062d0000" filename = "" Region: id = 717 start_va = 0x7fe26000 end_va = 0x7fe28fff entry_point = 0x0 region_type = private name = "private_0x000000007fe26000" filename = "" Region: id = 718 start_va = 0x63d0000 end_va = 0x640ffff entry_point = 0x0 region_type = private name = "private_0x00000000063d0000" filename = "" Region: id = 719 start_va = 0x6410000 end_va = 0x650ffff entry_point = 0x0 region_type = private name = "private_0x0000000006410000" filename = "" Region: id = 720 start_va = 0x7fe23000 end_va = 0x7fe25fff entry_point = 0x0 region_type = private name = "private_0x000000007fe23000" filename = "" Region: id = 721 start_va = 0x6510000 end_va = 0x654ffff entry_point = 0x0 region_type = private name = "private_0x0000000006510000" filename = "" Region: id = 722 start_va = 0x6550000 end_va = 0x664ffff entry_point = 0x0 region_type = private name = "private_0x0000000006550000" filename = "" Region: id = 723 start_va = 0x7fe20000 end_va = 0x7fe22fff entry_point = 0x0 region_type = private name = "private_0x000000007fe20000" filename = "" Region: id = 724 start_va = 0x6650000 end_va = 0x668ffff entry_point = 0x0 region_type = private name = "private_0x0000000006650000" filename = "" Region: id = 725 start_va = 0x6690000 end_va = 0x678ffff entry_point = 0x0 region_type = private name = "private_0x0000000006690000" filename = "" Region: id = 726 start_va = 0x7fe1d000 end_va = 0x7fe1ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe1d000" filename = "" Region: id = 727 start_va = 0x6790000 end_va = 0x67cffff entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 728 start_va = 0x67d0000 end_va = 0x68cffff entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 729 start_va = 0x7fe1a000 end_va = 0x7fe1cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe1a000" filename = "" Region: id = 730 start_va = 0x68d0000 end_va = 0x690ffff entry_point = 0x0 region_type = private name = "private_0x00000000068d0000" filename = "" Region: id = 731 start_va = 0x6910000 end_va = 0x6a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006910000" filename = "" Region: id = 732 start_va = 0x7fe17000 end_va = 0x7fe19fff entry_point = 0x0 region_type = private name = "private_0x000000007fe17000" filename = "" Region: id = 733 start_va = 0x6a10000 end_va = 0x6a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a10000" filename = "" Region: id = 734 start_va = 0x6a50000 end_va = 0x6b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a50000" filename = "" Region: id = 735 start_va = 0x7fe14000 end_va = 0x7fe16fff entry_point = 0x0 region_type = private name = "private_0x000000007fe14000" filename = "" Region: id = 736 start_va = 0x6b50000 end_va = 0x6b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006b50000" filename = "" Region: id = 737 start_va = 0x6b90000 end_va = 0x6c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006b90000" filename = "" Region: id = 738 start_va = 0x7fe11000 end_va = 0x7fe13fff entry_point = 0x0 region_type = private name = "private_0x000000007fe11000" filename = "" Region: id = 739 start_va = 0x6c90000 end_va = 0x6ccffff entry_point = 0x0 region_type = private name = "private_0x0000000006c90000" filename = "" Region: id = 740 start_va = 0x6cd0000 end_va = 0x6dcffff entry_point = 0x0 region_type = private name = "private_0x0000000006cd0000" filename = "" Region: id = 741 start_va = 0x7fe0e000 end_va = 0x7fe10fff entry_point = 0x0 region_type = private name = "private_0x000000007fe0e000" filename = "" Region: id = 742 start_va = 0x6dd0000 end_va = 0x6e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006dd0000" filename = "" Region: id = 743 start_va = 0x6e10000 end_va = 0x6f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006e10000" filename = "" Region: id = 744 start_va = 0x7fe0b000 end_va = 0x7fe0dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe0b000" filename = "" Region: id = 745 start_va = 0x6f10000 end_va = 0x6f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006f10000" filename = "" Region: id = 746 start_va = 0x6f50000 end_va = 0x704ffff entry_point = 0x0 region_type = private name = "private_0x0000000006f50000" filename = "" Region: id = 747 start_va = 0x7fe08000 end_va = 0x7fe0afff entry_point = 0x0 region_type = private name = "private_0x000000007fe08000" filename = "" Region: id = 748 start_va = 0x74620000 end_va = 0x74628fff entry_point = 0x74620000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 749 start_va = 0x22f0000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 750 start_va = 0x7050000 end_va = 0x708ffff entry_point = 0x0 region_type = private name = "private_0x0000000007050000" filename = "" Region: id = 751 start_va = 0x7090000 end_va = 0x718ffff entry_point = 0x0 region_type = private name = "private_0x0000000007090000" filename = "" Region: id = 752 start_va = 0x7190000 end_va = 0x71cffff entry_point = 0x0 region_type = private name = "private_0x0000000007190000" filename = "" Region: id = 753 start_va = 0x71d0000 end_va = 0x72cffff entry_point = 0x0 region_type = private name = "private_0x00000000071d0000" filename = "" Region: id = 754 start_va = 0x7fe02000 end_va = 0x7fe04fff entry_point = 0x0 region_type = private name = "private_0x000000007fe02000" filename = "" Region: id = 755 start_va = 0x7fe05000 end_va = 0x7fe07fff entry_point = 0x0 region_type = private name = "private_0x000000007fe05000" filename = "" Region: id = 756 start_va = 0x46c0000 end_va = 0x46c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 757 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 758 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 759 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 760 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 761 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 762 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 763 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 764 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 765 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 766 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 767 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 768 start_va = 0x72d0000 end_va = 0x730ffff entry_point = 0x0 region_type = private name = "private_0x00000000072d0000" filename = "" Region: id = 769 start_va = 0x7310000 end_va = 0x740ffff entry_point = 0x0 region_type = private name = "private_0x0000000007310000" filename = "" Region: id = 770 start_va = 0x7fdff000 end_va = 0x7fe01fff entry_point = 0x0 region_type = private name = "private_0x000000007fdff000" filename = "" Region: id = 771 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 772 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 773 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 774 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 775 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 776 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 777 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 778 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 779 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 780 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 781 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 782 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 783 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 784 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 785 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 786 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 787 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 788 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 789 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 790 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 791 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 792 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 796 start_va = 0x743b0000 end_va = 0x743f3fff entry_point = 0x743b0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 797 start_va = 0x22f0000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 798 start_va = 0x46c0000 end_va = 0x46c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 799 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 800 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 801 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 802 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 803 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 804 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 805 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 806 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 807 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 808 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 809 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 810 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 811 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 812 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 813 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 814 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 815 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 816 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 817 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 818 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 819 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 820 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 821 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 822 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 823 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 824 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 825 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 847 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 848 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 849 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 850 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 851 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 852 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 869 start_va = 0x22f0000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 870 start_va = 0x46c0000 end_va = 0x46c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 871 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 872 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 873 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 874 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 875 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 876 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 877 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 878 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 879 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 880 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 881 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 882 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 883 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 884 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 885 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 886 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 887 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 888 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 889 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 890 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 892 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 893 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 894 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 895 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 896 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 897 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 898 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 899 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 900 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 901 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 902 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 903 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 904 start_va = 0x22f0000 end_va = 0x22f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 905 start_va = 0x22f0000 end_va = 0x22f3fff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 906 start_va = 0x2d00000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 907 start_va = 0x2e80000 end_va = 0x2f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 908 start_va = 0x2f80000 end_va = 0x2f80fff entry_point = 0x2f80000 region_type = mapped_file name = "desktop.ini" filename = "\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini") Region: id = 909 start_va = 0x7fe98000 end_va = 0x7fe9afff entry_point = 0x0 region_type = private name = "private_0x000000007fe98000" filename = "" Region: id = 910 start_va = 0x2f80000 end_va = 0x2fbffff entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 911 start_va = 0x2fc0000 end_va = 0x30bffff entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 912 start_va = 0x7fe92000 end_va = 0x7fe94fff entry_point = 0x0 region_type = private name = "private_0x000000007fe92000" filename = "" Region: id = 913 start_va = 0x30c0000 end_va = 0x30fffff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 914 start_va = 0x3100000 end_va = 0x31fffff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 915 start_va = 0x3200000 end_va = 0x323ffff entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 916 start_va = 0x3240000 end_va = 0x333ffff entry_point = 0x0 region_type = private name = "private_0x0000000003240000" filename = "" Region: id = 917 start_va = 0x3340000 end_va = 0x337ffff entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 918 start_va = 0x3380000 end_va = 0x347ffff entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 919 start_va = 0x7fe89000 end_va = 0x7fe8bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe89000" filename = "" Region: id = 920 start_va = 0x7fe8c000 end_va = 0x7fe8efff entry_point = 0x0 region_type = private name = "private_0x000000007fe8c000" filename = "" Region: id = 921 start_va = 0x7fe8f000 end_va = 0x7fe91fff entry_point = 0x0 region_type = private name = "private_0x000000007fe8f000" filename = "" Region: id = 922 start_va = 0x3480000 end_va = 0x34bffff entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 923 start_va = 0x34c0000 end_va = 0x35bffff entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 924 start_va = 0x35c0000 end_va = 0x35fffff entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 925 start_va = 0x3600000 end_va = 0x36fffff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 926 start_va = 0x3700000 end_va = 0x373ffff entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 927 start_va = 0x3740000 end_va = 0x383ffff entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 928 start_va = 0x7fe80000 end_va = 0x7fe82fff entry_point = 0x0 region_type = private name = "private_0x000000007fe80000" filename = "" Region: id = 929 start_va = 0x7fe83000 end_va = 0x7fe85fff entry_point = 0x0 region_type = private name = "private_0x000000007fe83000" filename = "" Region: id = 930 start_va = 0x7fe86000 end_va = 0x7fe88fff entry_point = 0x0 region_type = private name = "private_0x000000007fe86000" filename = "" Region: id = 931 start_va = 0x3840000 end_va = 0x387ffff entry_point = 0x0 region_type = private name = "private_0x0000000003840000" filename = "" Region: id = 932 start_va = 0x3880000 end_va = 0x397ffff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 933 start_va = 0x3980000 end_va = 0x39bffff entry_point = 0x0 region_type = private name = "private_0x0000000003980000" filename = "" Region: id = 934 start_va = 0x39c0000 end_va = 0x3abffff entry_point = 0x0 region_type = private name = "private_0x00000000039c0000" filename = "" Region: id = 935 start_va = 0x3ac0000 end_va = 0x3afffff entry_point = 0x0 region_type = private name = "private_0x0000000003ac0000" filename = "" Region: id = 936 start_va = 0x3b00000 end_va = 0x3bfffff entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 937 start_va = 0x7fe77000 end_va = 0x7fe79fff entry_point = 0x0 region_type = private name = "private_0x000000007fe77000" filename = "" Region: id = 938 start_va = 0x7fe7a000 end_va = 0x7fe7cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe7a000" filename = "" Region: id = 939 start_va = 0x7fe7d000 end_va = 0x7fe7ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe7d000" filename = "" Region: id = 940 start_va = 0x3c00000 end_va = 0x3c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 941 start_va = 0x3c40000 end_va = 0x3d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c40000" filename = "" Region: id = 942 start_va = 0x7fe74000 end_va = 0x7fe76fff entry_point = 0x0 region_type = private name = "private_0x000000007fe74000" filename = "" Region: id = 943 start_va = 0x3f40000 end_va = 0x3f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f40000" filename = "" Region: id = 944 start_va = 0x3f80000 end_va = 0x407ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f80000" filename = "" Region: id = 945 start_va = 0x7fe71000 end_va = 0x7fe73fff entry_point = 0x0 region_type = private name = "private_0x000000007fe71000" filename = "" Region: id = 946 start_va = 0x41c0000 end_va = 0x41fffff entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 947 start_va = 0x4200000 end_va = 0x42fffff entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 948 start_va = 0x7fe6b000 end_va = 0x7fe6dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe6b000" filename = "" Region: id = 949 start_va = 0x4300000 end_va = 0x433ffff entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 950 start_va = 0x4340000 end_va = 0x443ffff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 951 start_va = 0x7fe68000 end_va = 0x7fe6afff entry_point = 0x0 region_type = private name = "private_0x000000007fe68000" filename = "" Region: id = 952 start_va = 0x4440000 end_va = 0x447ffff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 953 start_va = 0x4480000 end_va = 0x457ffff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 954 start_va = 0x7fe65000 end_va = 0x7fe67fff entry_point = 0x0 region_type = private name = "private_0x000000007fe65000" filename = "" Region: id = 955 start_va = 0x4580000 end_va = 0x45bffff entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 956 start_va = 0x45c0000 end_va = 0x46bffff entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 957 start_va = 0x7fe62000 end_va = 0x7fe64fff entry_point = 0x0 region_type = private name = "private_0x000000007fe62000" filename = "" Region: id = 958 start_va = 0x46c0000 end_va = 0x46fffff entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 959 start_va = 0x4700000 end_va = 0x47fffff entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 960 start_va = 0x4800000 end_va = 0x483ffff entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 961 start_va = 0x4840000 end_va = 0x493ffff entry_point = 0x0 region_type = private name = "private_0x0000000004840000" filename = "" Region: id = 962 start_va = 0x7fe5c000 end_va = 0x7fe5efff entry_point = 0x0 region_type = private name = "private_0x000000007fe5c000" filename = "" Region: id = 963 start_va = 0x7fe5f000 end_va = 0x7fe61fff entry_point = 0x0 region_type = private name = "private_0x000000007fe5f000" filename = "" Region: id = 964 start_va = 0x2ac0000 end_va = 0x2afffff entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 965 start_va = 0x2b00000 end_va = 0x2bfffff entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 966 start_va = 0x7fe9b000 end_va = 0x7fe9dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe9b000" filename = "" Region: id = 967 start_va = 0x2d40000 end_va = 0x2d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 968 start_va = 0x2d80000 end_va = 0x2e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 969 start_va = 0x4940000 end_va = 0x497ffff entry_point = 0x0 region_type = private name = "private_0x0000000004940000" filename = "" Region: id = 970 start_va = 0x4980000 end_va = 0x4a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004980000" filename = "" Region: id = 971 start_va = 0x7fe59000 end_va = 0x7fe5bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe59000" filename = "" Region: id = 972 start_va = 0x7fe95000 end_va = 0x7fe97fff entry_point = 0x0 region_type = private name = "private_0x000000007fe95000" filename = "" Region: id = 973 start_va = 0x4a80000 end_va = 0x4abffff entry_point = 0x0 region_type = private name = "private_0x0000000004a80000" filename = "" Region: id = 974 start_va = 0x4ac0000 end_va = 0x4bbffff entry_point = 0x0 region_type = private name = "private_0x0000000004ac0000" filename = "" Region: id = 975 start_va = 0x4bc0000 end_va = 0x4bfffff entry_point = 0x0 region_type = private name = "private_0x0000000004bc0000" filename = "" Region: id = 976 start_va = 0x4c00000 end_va = 0x4cfffff entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 977 start_va = 0x4d00000 end_va = 0x4d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 978 start_va = 0x4d40000 end_va = 0x4e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d40000" filename = "" Region: id = 979 start_va = 0x7fe50000 end_va = 0x7fe52fff entry_point = 0x0 region_type = private name = "private_0x000000007fe50000" filename = "" Region: id = 980 start_va = 0x7fe53000 end_va = 0x7fe55fff entry_point = 0x0 region_type = private name = "private_0x000000007fe53000" filename = "" Region: id = 981 start_va = 0x7fe56000 end_va = 0x7fe58fff entry_point = 0x0 region_type = private name = "private_0x000000007fe56000" filename = "" Region: id = 982 start_va = 0x5490000 end_va = 0x54cffff entry_point = 0x0 region_type = private name = "private_0x0000000005490000" filename = "" Region: id = 983 start_va = 0x54d0000 end_va = 0x55cffff entry_point = 0x0 region_type = private name = "private_0x00000000054d0000" filename = "" Region: id = 984 start_va = 0x55d0000 end_va = 0x560ffff entry_point = 0x0 region_type = private name = "private_0x00000000055d0000" filename = "" Region: id = 985 start_va = 0x5610000 end_va = 0x570ffff entry_point = 0x0 region_type = private name = "private_0x0000000005610000" filename = "" Region: id = 986 start_va = 0x7fe3b000 end_va = 0x7fe3dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe3b000" filename = "" Region: id = 987 start_va = 0x7fe3e000 end_va = 0x7fe40fff entry_point = 0x0 region_type = private name = "private_0x000000007fe3e000" filename = "" Region: id = 988 start_va = 0x5850000 end_va = 0x588ffff entry_point = 0x0 region_type = private name = "private_0x0000000005850000" filename = "" Region: id = 989 start_va = 0x5890000 end_va = 0x598ffff entry_point = 0x0 region_type = private name = "private_0x0000000005890000" filename = "" Region: id = 990 start_va = 0x7fe35000 end_va = 0x7fe37fff entry_point = 0x0 region_type = private name = "private_0x000000007fe35000" filename = "" Region: id = 991 start_va = 0x5d90000 end_va = 0x5dcffff entry_point = 0x0 region_type = private name = "private_0x0000000005d90000" filename = "" Region: id = 992 start_va = 0x5dd0000 end_va = 0x5ecffff entry_point = 0x0 region_type = private name = "private_0x0000000005dd0000" filename = "" Region: id = 993 start_va = 0x7fe32000 end_va = 0x7fe34fff entry_point = 0x0 region_type = private name = "private_0x000000007fe32000" filename = "" Region: id = 994 start_va = 0x5ed0000 end_va = 0x5f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000005ed0000" filename = "" Region: id = 995 start_va = 0x5f10000 end_va = 0x600ffff entry_point = 0x0 region_type = private name = "private_0x0000000005f10000" filename = "" Region: id = 996 start_va = 0x7fe2f000 end_va = 0x7fe31fff entry_point = 0x0 region_type = private name = "private_0x000000007fe2f000" filename = "" Region: id = 997 start_va = 0x6010000 end_va = 0x604ffff entry_point = 0x0 region_type = private name = "private_0x0000000006010000" filename = "" Region: id = 998 start_va = 0x6050000 end_va = 0x614ffff entry_point = 0x0 region_type = private name = "private_0x0000000006050000" filename = "" Region: id = 999 start_va = 0x7fe2c000 end_va = 0x7fe2efff entry_point = 0x0 region_type = private name = "private_0x000000007fe2c000" filename = "" Region: id = 1000 start_va = 0x6510000 end_va = 0x654ffff entry_point = 0x0 region_type = private name = "private_0x0000000006510000" filename = "" Region: id = 1001 start_va = 0x6550000 end_va = 0x664ffff entry_point = 0x0 region_type = private name = "private_0x0000000006550000" filename = "" Region: id = 1002 start_va = 0x7fe20000 end_va = 0x7fe22fff entry_point = 0x0 region_type = private name = "private_0x000000007fe20000" filename = "" Region: id = 1003 start_va = 0x4e40000 end_va = 0x4e40fff entry_point = 0x4e40000 region_type = mapped_file name = "desktop.ini" filename = "\\Program Files (x86)\\desktop.ini" (normalized: "c:\\program files (x86)\\desktop.ini") Region: id = 1004 start_va = 0x6650000 end_va = 0x6650fff entry_point = 0x6650000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini") Region: id = 1005 start_va = 0x4e50000 end_va = 0x4e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e50000" filename = "" Region: id = 1006 start_va = 0x4e90000 end_va = 0x4f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e90000" filename = "" Region: id = 1007 start_va = 0x7fe4d000 end_va = 0x7fe4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe4d000" filename = "" Region: id = 1008 start_va = 0x4f90000 end_va = 0x4fcffff entry_point = 0x0 region_type = private name = "private_0x0000000004f90000" filename = "" Region: id = 1009 start_va = 0x4fd0000 end_va = 0x50cffff entry_point = 0x0 region_type = private name = "private_0x0000000004fd0000" filename = "" Region: id = 1010 start_va = 0x7fe4a000 end_va = 0x7fe4cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe4a000" filename = "" Region: id = 1011 start_va = 0x50d0000 end_va = 0x510ffff entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 1012 start_va = 0x5110000 end_va = 0x520ffff entry_point = 0x0 region_type = private name = "private_0x0000000005110000" filename = "" Region: id = 1013 start_va = 0x5210000 end_va = 0x524ffff entry_point = 0x0 region_type = private name = "private_0x0000000005210000" filename = "" Region: id = 1014 start_va = 0x5250000 end_va = 0x534ffff entry_point = 0x0 region_type = private name = "private_0x0000000005250000" filename = "" Region: id = 1015 start_va = 0x7fe44000 end_va = 0x7fe46fff entry_point = 0x0 region_type = private name = "private_0x000000007fe44000" filename = "" Region: id = 1016 start_va = 0x7fe47000 end_va = 0x7fe49fff entry_point = 0x0 region_type = private name = "private_0x000000007fe47000" filename = "" Region: id = 1017 start_va = 0x5350000 end_va = 0x538ffff entry_point = 0x0 region_type = private name = "private_0x0000000005350000" filename = "" Region: id = 1018 start_va = 0x5390000 end_va = 0x548ffff entry_point = 0x0 region_type = private name = "private_0x0000000005390000" filename = "" Region: id = 1019 start_va = 0x7fe41000 end_va = 0x7fe43fff entry_point = 0x0 region_type = private name = "private_0x000000007fe41000" filename = "" Region: id = 1020 start_va = 0x5710000 end_va = 0x574ffff entry_point = 0x0 region_type = private name = "private_0x0000000005710000" filename = "" Region: id = 1021 start_va = 0x5750000 end_va = 0x584ffff entry_point = 0x0 region_type = private name = "private_0x0000000005750000" filename = "" Region: id = 1022 start_va = 0x63d0000 end_va = 0x640ffff entry_point = 0x0 region_type = private name = "private_0x00000000063d0000" filename = "" Region: id = 1023 start_va = 0x6410000 end_va = 0x650ffff entry_point = 0x0 region_type = private name = "private_0x0000000006410000" filename = "" Region: id = 1024 start_va = 0x6650000 end_va = 0x668ffff entry_point = 0x0 region_type = private name = "private_0x0000000006650000" filename = "" Region: id = 1025 start_va = 0x6690000 end_va = 0x678ffff entry_point = 0x0 region_type = private name = "private_0x0000000006690000" filename = "" Region: id = 1026 start_va = 0x7fe1d000 end_va = 0x7fe1ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe1d000" filename = "" Region: id = 1027 start_va = 0x7fe23000 end_va = 0x7fe25fff entry_point = 0x0 region_type = private name = "private_0x000000007fe23000" filename = "" Region: id = 1028 start_va = 0x7fe38000 end_va = 0x7fe3afff entry_point = 0x0 region_type = private name = "private_0x000000007fe38000" filename = "" Region: id = 1029 start_va = 0x6790000 end_va = 0x67cffff entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 1030 start_va = 0x67d0000 end_va = 0x68cffff entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 1031 start_va = 0x7fe1a000 end_va = 0x7fe1cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe1a000" filename = "" Region: id = 1032 start_va = 0x68d0000 end_va = 0x690ffff entry_point = 0x0 region_type = private name = "private_0x00000000068d0000" filename = "" Region: id = 1033 start_va = 0x6910000 end_va = 0x6a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006910000" filename = "" Region: id = 1034 start_va = 0x6a10000 end_va = 0x6a1ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a10000" filename = "" Region: id = 1035 start_va = 0x7fe17000 end_va = 0x7fe19fff entry_point = 0x0 region_type = private name = "private_0x000000007fe17000" filename = "" Region: id = 1036 start_va = 0x6a20000 end_va = 0x6a24fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a20000" filename = "" Region: id = 1037 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1038 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1039 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1040 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1041 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1042 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1043 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1044 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1045 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1046 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1047 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1048 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1049 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1050 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1051 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1052 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1053 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1054 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1055 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1056 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1057 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1058 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1059 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1060 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1061 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1062 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1063 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1064 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1065 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1080 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1081 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1082 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1083 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1084 start_va = 0x6a10000 end_va = 0x6a14fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a10000" filename = "" Region: id = 1085 start_va = 0x74390000 end_va = 0x743a1fff entry_point = 0x74390000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 1091 start_va = 0x6a10000 end_va = 0x6a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a10000" filename = "" Region: id = 1092 start_va = 0x6a50000 end_va = 0x6b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a50000" filename = "" Region: id = 1093 start_va = 0x7fe14000 end_va = 0x7fe16fff entry_point = 0x0 region_type = private name = "private_0x000000007fe14000" filename = "" Region: id = 1094 start_va = 0x6b50000 end_va = 0x6b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006b50000" filename = "" Region: id = 1095 start_va = 0x6b90000 end_va = 0x6c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006b90000" filename = "" Region: id = 1096 start_va = 0x7fe11000 end_va = 0x7fe13fff entry_point = 0x0 region_type = private name = "private_0x000000007fe11000" filename = "" Region: id = 1097 start_va = 0x6c90000 end_va = 0x6ccffff entry_point = 0x0 region_type = private name = "private_0x0000000006c90000" filename = "" Region: id = 1098 start_va = 0x6cd0000 end_va = 0x6dcffff entry_point = 0x0 region_type = private name = "private_0x0000000006cd0000" filename = "" Region: id = 1099 start_va = 0x7fe0e000 end_va = 0x7fe10fff entry_point = 0x0 region_type = private name = "private_0x000000007fe0e000" filename = "" Region: id = 1100 start_va = 0x3340000 end_va = 0x3352fff entry_point = 0x3340000 region_type = mapped_file name = "extensiveadvertisement.exe" filename = "\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe" (normalized: "c:\\program files (x86)\\common files\\extensiveadvertisement.exe") Region: id = 1101 start_va = 0x6dd0000 end_va = 0x6e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006dd0000" filename = "" Region: id = 1102 start_va = 0x6e10000 end_va = 0x6f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006e10000" filename = "" Region: id = 1103 start_va = 0x7fe0b000 end_va = 0x7fe0dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe0b000" filename = "" Region: id = 1104 start_va = 0x3340000 end_va = 0x337ffff entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 1105 start_va = 0x3380000 end_va = 0x347ffff entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 1106 start_va = 0x7fe89000 end_va = 0x7fe8bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe89000" filename = "" Region: id = 1107 start_va = 0x6f10000 end_va = 0x6f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006f10000" filename = "" Region: id = 1108 start_va = 0x6f50000 end_va = 0x704ffff entry_point = 0x0 region_type = private name = "private_0x0000000006f50000" filename = "" Region: id = 1109 start_va = 0x7fe08000 end_va = 0x7fe0afff entry_point = 0x0 region_type = private name = "private_0x000000007fe08000" filename = "" Region: id = 1110 start_va = 0x7050000 end_va = 0x708ffff entry_point = 0x0 region_type = private name = "private_0x0000000007050000" filename = "" Region: id = 1111 start_va = 0x7090000 end_va = 0x718ffff entry_point = 0x0 region_type = private name = "private_0x0000000007090000" filename = "" Region: id = 1112 start_va = 0x7fe05000 end_va = 0x7fe07fff entry_point = 0x0 region_type = private name = "private_0x000000007fe05000" filename = "" Region: id = 1113 start_va = 0x7190000 end_va = 0x71cffff entry_point = 0x0 region_type = private name = "private_0x0000000007190000" filename = "" Region: id = 1114 start_va = 0x71d0000 end_va = 0x72cffff entry_point = 0x0 region_type = private name = "private_0x00000000071d0000" filename = "" Region: id = 1115 start_va = 0x72d0000 end_va = 0x730ffff entry_point = 0x0 region_type = private name = "private_0x00000000072d0000" filename = "" Region: id = 1116 start_va = 0x7310000 end_va = 0x740ffff entry_point = 0x0 region_type = private name = "private_0x0000000007310000" filename = "" Region: id = 1117 start_va = 0x7fdff000 end_va = 0x7fe01fff entry_point = 0x0 region_type = private name = "private_0x000000007fdff000" filename = "" Region: id = 1118 start_va = 0x7fe02000 end_va = 0x7fe04fff entry_point = 0x0 region_type = private name = "private_0x000000007fe02000" filename = "" Region: id = 1119 start_va = 0x7410000 end_va = 0x744ffff entry_point = 0x0 region_type = private name = "private_0x0000000007410000" filename = "" Region: id = 1120 start_va = 0x7450000 end_va = 0x754ffff entry_point = 0x0 region_type = private name = "private_0x0000000007450000" filename = "" Region: id = 1121 start_va = 0x7fdfc000 end_va = 0x7fdfefff entry_point = 0x0 region_type = private name = "private_0x000000007fdfc000" filename = "" Region: id = 1122 start_va = 0x7550000 end_va = 0x758ffff entry_point = 0x0 region_type = private name = "private_0x0000000007550000" filename = "" Region: id = 1123 start_va = 0x7590000 end_va = 0x768ffff entry_point = 0x0 region_type = private name = "private_0x0000000007590000" filename = "" Region: id = 1124 start_va = 0x7fdf9000 end_va = 0x7fdfbfff entry_point = 0x0 region_type = private name = "private_0x000000007fdf9000" filename = "" Region: id = 1125 start_va = 0x7690000 end_va = 0x76cffff entry_point = 0x0 region_type = private name = "private_0x0000000007690000" filename = "" Region: id = 1126 start_va = 0x76d0000 end_va = 0x77cffff entry_point = 0x0 region_type = private name = "private_0x00000000076d0000" filename = "" Region: id = 1127 start_va = 0x7fdf6000 end_va = 0x7fdf8fff entry_point = 0x0 region_type = private name = "private_0x000000007fdf6000" filename = "" Region: id = 1128 start_va = 0x77d0000 end_va = 0x780ffff entry_point = 0x0 region_type = private name = "private_0x00000000077d0000" filename = "" Region: id = 1129 start_va = 0x7810000 end_va = 0x790ffff entry_point = 0x0 region_type = private name = "private_0x0000000007810000" filename = "" Region: id = 1130 start_va = 0x7fdf3000 end_va = 0x7fdf5fff entry_point = 0x0 region_type = private name = "private_0x000000007fdf3000" filename = "" Region: id = 1131 start_va = 0x7910000 end_va = 0x794ffff entry_point = 0x0 region_type = private name = "private_0x0000000007910000" filename = "" Region: id = 1132 start_va = 0x7950000 end_va = 0x7a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000007950000" filename = "" Region: id = 1133 start_va = 0x7fdf0000 end_va = 0x7fdf2fff entry_point = 0x0 region_type = private name = "private_0x000000007fdf0000" filename = "" Region: id = 1134 start_va = 0x7a50000 end_va = 0x7a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000007a50000" filename = "" Region: id = 1135 start_va = 0x7a90000 end_va = 0x7b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000007a90000" filename = "" Region: id = 1136 start_va = 0x7fded000 end_va = 0x7fdeffff entry_point = 0x0 region_type = private name = "private_0x000000007fded000" filename = "" Region: id = 1137 start_va = 0x7b90000 end_va = 0x7bcffff entry_point = 0x0 region_type = private name = "private_0x0000000007b90000" filename = "" Region: id = 1138 start_va = 0x7bd0000 end_va = 0x7ccffff entry_point = 0x0 region_type = private name = "private_0x0000000007bd0000" filename = "" Region: id = 1139 start_va = 0x7fdea000 end_va = 0x7fdecfff entry_point = 0x0 region_type = private name = "private_0x000000007fdea000" filename = "" Region: id = 1140 start_va = 0x7cd0000 end_va = 0x7d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000007cd0000" filename = "" Region: id = 1141 start_va = 0x7d10000 end_va = 0x7e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000007d10000" filename = "" Region: id = 1142 start_va = 0x7fde7000 end_va = 0x7fde9fff entry_point = 0x0 region_type = private name = "private_0x000000007fde7000" filename = "" Region: id = 1143 start_va = 0x7e10000 end_va = 0x7e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000007e10000" filename = "" Region: id = 1144 start_va = 0x7e50000 end_va = 0x7f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000007e50000" filename = "" Region: id = 1145 start_va = 0x7fde4000 end_va = 0x7fde6fff entry_point = 0x0 region_type = private name = "private_0x000000007fde4000" filename = "" Region: id = 1146 start_va = 0x30c0000 end_va = 0x30cffff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 1147 start_va = 0x30d0000 end_va = 0x30d4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030d0000" filename = "" Region: id = 1148 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1149 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1150 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1151 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1152 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1153 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1154 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1155 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1156 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1157 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1158 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1159 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1160 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1161 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1162 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1163 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1164 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1165 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1166 start_va = 0x30d0000 end_va = 0x310ffff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 1167 start_va = 0x6150000 end_va = 0x624ffff entry_point = 0x0 region_type = private name = "private_0x0000000006150000" filename = "" Region: id = 1168 start_va = 0x7fe8f000 end_va = 0x7fe91fff entry_point = 0x0 region_type = private name = "private_0x000000007fe8f000" filename = "" Region: id = 1169 start_va = 0x3110000 end_va = 0x314ffff entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 1170 start_va = 0x7f50000 end_va = 0x804ffff entry_point = 0x0 region_type = private name = "private_0x0000000007f50000" filename = "" Region: id = 1171 start_va = 0x7fe29000 end_va = 0x7fe2bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe29000" filename = "" Region: id = 1172 start_va = 0x3150000 end_va = 0x318ffff entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 1173 start_va = 0x3190000 end_va = 0x31cffff entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 1174 start_va = 0x8050000 end_va = 0x814ffff entry_point = 0x0 region_type = private name = "private_0x0000000008050000" filename = "" Region: id = 1175 start_va = 0x8150000 end_va = 0x824ffff entry_point = 0x0 region_type = private name = "private_0x0000000008150000" filename = "" Region: id = 1176 start_va = 0x7fdde000 end_va = 0x7fde0fff entry_point = 0x0 region_type = private name = "private_0x000000007fdde000" filename = "" Region: id = 1177 start_va = 0x7fde1000 end_va = 0x7fde3fff entry_point = 0x0 region_type = private name = "private_0x000000007fde1000" filename = "" Region: id = 1178 start_va = 0x6250000 end_va = 0x628ffff entry_point = 0x0 region_type = private name = "private_0x0000000006250000" filename = "" Region: id = 1179 start_va = 0x8250000 end_va = 0x834ffff entry_point = 0x0 region_type = private name = "private_0x0000000008250000" filename = "" Region: id = 1180 start_va = 0x7fddb000 end_va = 0x7fdddfff entry_point = 0x0 region_type = private name = "private_0x000000007fddb000" filename = "" Region: id = 1181 start_va = 0x8350000 end_va = 0x838ffff entry_point = 0x0 region_type = private name = "private_0x0000000008350000" filename = "" Region: id = 1182 start_va = 0x8390000 end_va = 0x848ffff entry_point = 0x0 region_type = private name = "private_0x0000000008390000" filename = "" Region: id = 1183 start_va = 0x7fdd8000 end_va = 0x7fddafff entry_point = 0x0 region_type = private name = "private_0x000000007fdd8000" filename = "" Region: id = 1184 start_va = 0x8490000 end_va = 0x84cffff entry_point = 0x0 region_type = private name = "private_0x0000000008490000" filename = "" Region: id = 1185 start_va = 0x84d0000 end_va = 0x85cffff entry_point = 0x0 region_type = private name = "private_0x00000000084d0000" filename = "" Region: id = 1186 start_va = 0x7fdd5000 end_va = 0x7fdd7fff entry_point = 0x0 region_type = private name = "private_0x000000007fdd5000" filename = "" Region: id = 1187 start_va = 0x85d0000 end_va = 0x860ffff entry_point = 0x0 region_type = private name = "private_0x00000000085d0000" filename = "" Region: id = 1188 start_va = 0x8610000 end_va = 0x870ffff entry_point = 0x0 region_type = private name = "private_0x0000000008610000" filename = "" Region: id = 1189 start_va = 0x7fdd2000 end_va = 0x7fdd4fff entry_point = 0x0 region_type = private name = "private_0x000000007fdd2000" filename = "" Region: id = 1190 start_va = 0x8710000 end_va = 0x874ffff entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 1191 start_va = 0x8750000 end_va = 0x884ffff entry_point = 0x0 region_type = private name = "private_0x0000000008750000" filename = "" Region: id = 1192 start_va = 0x8850000 end_va = 0x904ffff entry_point = 0x0 region_type = private name = "private_0x0000000008850000" filename = "" Region: id = 1193 start_va = 0x7fdcf000 end_va = 0x7fdd1fff entry_point = 0x0 region_type = private name = "private_0x000000007fdcf000" filename = "" Region: id = 1194 start_va = 0x9050000 end_va = 0x908ffff entry_point = 0x0 region_type = private name = "private_0x0000000009050000" filename = "" Region: id = 1195 start_va = 0x9090000 end_va = 0x918ffff entry_point = 0x0 region_type = private name = "private_0x0000000009090000" filename = "" Region: id = 1196 start_va = 0x7fdcc000 end_va = 0x7fdcefff entry_point = 0x0 region_type = private name = "private_0x000000007fdcc000" filename = "" Region: id = 1197 start_va = 0x9190000 end_va = 0x91cffff entry_point = 0x0 region_type = private name = "private_0x0000000009190000" filename = "" Region: id = 1198 start_va = 0x91d0000 end_va = 0x92cffff entry_point = 0x0 region_type = private name = "private_0x00000000091d0000" filename = "" Region: id = 1199 start_va = 0x7fdc9000 end_va = 0x7fdcbfff entry_point = 0x0 region_type = private name = "private_0x000000007fdc9000" filename = "" Region: id = 1200 start_va = 0x92d0000 end_va = 0x930ffff entry_point = 0x0 region_type = private name = "private_0x00000000092d0000" filename = "" Region: id = 1201 start_va = 0x9310000 end_va = 0x940ffff entry_point = 0x0 region_type = private name = "private_0x0000000009310000" filename = "" Region: id = 1202 start_va = 0x7fdc6000 end_va = 0x7fdc8fff entry_point = 0x0 region_type = private name = "private_0x000000007fdc6000" filename = "" Region: id = 1203 start_va = 0x9410000 end_va = 0x944ffff entry_point = 0x0 region_type = private name = "private_0x0000000009410000" filename = "" Region: id = 1204 start_va = 0x9450000 end_va = 0x954ffff entry_point = 0x0 region_type = private name = "private_0x0000000009450000" filename = "" Region: id = 1205 start_va = 0x7fdc3000 end_va = 0x7fdc5fff entry_point = 0x0 region_type = private name = "private_0x000000007fdc3000" filename = "" Region: id = 1206 start_va = 0x9550000 end_va = 0x958ffff entry_point = 0x0 region_type = private name = "private_0x0000000009550000" filename = "" Region: id = 1207 start_va = 0x9590000 end_va = 0x968ffff entry_point = 0x0 region_type = private name = "private_0x0000000009590000" filename = "" Region: id = 1208 start_va = 0x7fdc0000 end_va = 0x7fdc2fff entry_point = 0x0 region_type = private name = "private_0x000000007fdc0000" filename = "" Region: id = 1209 start_va = 0x9690000 end_va = 0x96cffff entry_point = 0x0 region_type = private name = "private_0x0000000009690000" filename = "" Region: id = 1210 start_va = 0x96d0000 end_va = 0x97cffff entry_point = 0x0 region_type = private name = "private_0x00000000096d0000" filename = "" Region: id = 1211 start_va = 0x7fdbd000 end_va = 0x7fdbffff entry_point = 0x0 region_type = private name = "private_0x000000007fdbd000" filename = "" Region: id = 1212 start_va = 0x97d0000 end_va = 0x980ffff entry_point = 0x0 region_type = private name = "private_0x00000000097d0000" filename = "" Region: id = 1213 start_va = 0x9810000 end_va = 0x990ffff entry_point = 0x0 region_type = private name = "private_0x0000000009810000" filename = "" Region: id = 1214 start_va = 0x7fdba000 end_va = 0x7fdbcfff entry_point = 0x0 region_type = private name = "private_0x000000007fdba000" filename = "" Region: id = 1215 start_va = 0x9910000 end_va = 0x994ffff entry_point = 0x0 region_type = private name = "private_0x0000000009910000" filename = "" Region: id = 1216 start_va = 0x9950000 end_va = 0x9a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000009950000" filename = "" Region: id = 1217 start_va = 0x7fdb7000 end_va = 0x7fdb9fff entry_point = 0x0 region_type = private name = "private_0x000000007fdb7000" filename = "" Region: id = 1218 start_va = 0x9a50000 end_va = 0x9a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000009a50000" filename = "" Region: id = 1219 start_va = 0x9a90000 end_va = 0x9b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000009a90000" filename = "" Region: id = 1220 start_va = 0x7fdb4000 end_va = 0x7fdb6fff entry_point = 0x0 region_type = private name = "private_0x000000007fdb4000" filename = "" Region: id = 1221 start_va = 0x9b90000 end_va = 0x9bcffff entry_point = 0x0 region_type = private name = "private_0x0000000009b90000" filename = "" Region: id = 1222 start_va = 0x9bd0000 end_va = 0x9ccffff entry_point = 0x0 region_type = private name = "private_0x0000000009bd0000" filename = "" Region: id = 1223 start_va = 0x7fdb1000 end_va = 0x7fdb3fff entry_point = 0x0 region_type = private name = "private_0x000000007fdb1000" filename = "" Region: id = 1224 start_va = 0x9cd0000 end_va = 0x9d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000009cd0000" filename = "" Region: id = 1225 start_va = 0x9d10000 end_va = 0x9e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000009d10000" filename = "" Region: id = 1226 start_va = 0x7fdae000 end_va = 0x7fdb0fff entry_point = 0x0 region_type = private name = "private_0x000000007fdae000" filename = "" Region: id = 1227 start_va = 0x9e10000 end_va = 0x9e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000009e10000" filename = "" Region: id = 1228 start_va = 0x9e50000 end_va = 0x9f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000009e50000" filename = "" Region: id = 1229 start_va = 0x7fdab000 end_va = 0x7fdadfff entry_point = 0x0 region_type = private name = "private_0x000000007fdab000" filename = "" Region: id = 1230 start_va = 0x9f50000 end_va = 0x9f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000009f50000" filename = "" Region: id = 1231 start_va = 0x9f90000 end_va = 0xa08ffff entry_point = 0x0 region_type = private name = "private_0x0000000009f90000" filename = "" Region: id = 1232 start_va = 0x7fda8000 end_va = 0x7fdaafff entry_point = 0x0 region_type = private name = "private_0x000000007fda8000" filename = "" Region: id = 1233 start_va = 0xa090000 end_va = 0xa0cffff entry_point = 0x0 region_type = private name = "private_0x000000000a090000" filename = "" Region: id = 1234 start_va = 0xa0d0000 end_va = 0xa1cffff entry_point = 0x0 region_type = private name = "private_0x000000000a0d0000" filename = "" Region: id = 1235 start_va = 0x7fda5000 end_va = 0x7fda7fff entry_point = 0x0 region_type = private name = "private_0x000000007fda5000" filename = "" Region: id = 1236 start_va = 0xa1d0000 end_va = 0xa20ffff entry_point = 0x0 region_type = private name = "private_0x000000000a1d0000" filename = "" Region: id = 1237 start_va = 0xa210000 end_va = 0xa30ffff entry_point = 0x0 region_type = private name = "private_0x000000000a210000" filename = "" Region: id = 1238 start_va = 0x7fda2000 end_va = 0x7fda4fff entry_point = 0x0 region_type = private name = "private_0x000000007fda2000" filename = "" Region: id = 1239 start_va = 0xa310000 end_va = 0xa34ffff entry_point = 0x0 region_type = private name = "private_0x000000000a310000" filename = "" Region: id = 1240 start_va = 0xa350000 end_va = 0xa44ffff entry_point = 0x0 region_type = private name = "private_0x000000000a350000" filename = "" Region: id = 1241 start_va = 0x7fd9f000 end_va = 0x7fda1fff entry_point = 0x0 region_type = private name = "private_0x000000007fd9f000" filename = "" Region: id = 1242 start_va = 0xa450000 end_va = 0xa48ffff entry_point = 0x0 region_type = private name = "private_0x000000000a450000" filename = "" Region: id = 1243 start_va = 0xa490000 end_va = 0xa58ffff entry_point = 0x0 region_type = private name = "private_0x000000000a490000" filename = "" Region: id = 1244 start_va = 0x7fd9c000 end_va = 0x7fd9efff entry_point = 0x0 region_type = private name = "private_0x000000007fd9c000" filename = "" Region: id = 1245 start_va = 0xa590000 end_va = 0xa5cffff entry_point = 0x0 region_type = private name = "private_0x000000000a590000" filename = "" Region: id = 1246 start_va = 0xa5d0000 end_va = 0xa6cffff entry_point = 0x0 region_type = private name = "private_0x000000000a5d0000" filename = "" Region: id = 1247 start_va = 0x7fd99000 end_va = 0x7fd9bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd99000" filename = "" Region: id = 1248 start_va = 0xa6d0000 end_va = 0xa70ffff entry_point = 0x0 region_type = private name = "private_0x000000000a6d0000" filename = "" Region: id = 1249 start_va = 0xa710000 end_va = 0xa80ffff entry_point = 0x0 region_type = private name = "private_0x000000000a710000" filename = "" Region: id = 1250 start_va = 0x7fd96000 end_va = 0x7fd98fff entry_point = 0x0 region_type = private name = "private_0x000000007fd96000" filename = "" Region: id = 1251 start_va = 0xa810000 end_va = 0xa84ffff entry_point = 0x0 region_type = private name = "private_0x000000000a810000" filename = "" Region: id = 1252 start_va = 0xa850000 end_va = 0xa94ffff entry_point = 0x0 region_type = private name = "private_0x000000000a850000" filename = "" Region: id = 1253 start_va = 0x7fd93000 end_va = 0x7fd95fff entry_point = 0x0 region_type = private name = "private_0x000000007fd93000" filename = "" Region: id = 1254 start_va = 0xa950000 end_va = 0xa98ffff entry_point = 0x0 region_type = private name = "private_0x000000000a950000" filename = "" Region: id = 1255 start_va = 0xa990000 end_va = 0xaa8ffff entry_point = 0x0 region_type = private name = "private_0x000000000a990000" filename = "" Region: id = 1256 start_va = 0x7fd90000 end_va = 0x7fd92fff entry_point = 0x0 region_type = private name = "private_0x000000007fd90000" filename = "" Region: id = 1257 start_va = 0xaa90000 end_va = 0xaacffff entry_point = 0x0 region_type = private name = "private_0x000000000aa90000" filename = "" Region: id = 1258 start_va = 0xaad0000 end_va = 0xabcffff entry_point = 0x0 region_type = private name = "private_0x000000000aad0000" filename = "" Region: id = 1259 start_va = 0x7fd8d000 end_va = 0x7fd8ffff entry_point = 0x0 region_type = private name = "private_0x000000007fd8d000" filename = "" Region: id = 1260 start_va = 0xabd0000 end_va = 0xac0ffff entry_point = 0x0 region_type = private name = "private_0x000000000abd0000" filename = "" Region: id = 1261 start_va = 0xac10000 end_va = 0xad0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ac10000" filename = "" Region: id = 1262 start_va = 0xad10000 end_va = 0xad4ffff entry_point = 0x0 region_type = private name = "private_0x000000000ad10000" filename = "" Region: id = 1263 start_va = 0xad50000 end_va = 0xae4ffff entry_point = 0x0 region_type = private name = "private_0x000000000ad50000" filename = "" Region: id = 1264 start_va = 0x7fd87000 end_va = 0x7fd89fff entry_point = 0x0 region_type = private name = "private_0x000000007fd87000" filename = "" Region: id = 1265 start_va = 0x7fd8a000 end_va = 0x7fd8cfff entry_point = 0x0 region_type = private name = "private_0x000000007fd8a000" filename = "" Region: id = 1266 start_va = 0xae50000 end_va = 0xae8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ae50000" filename = "" Region: id = 1267 start_va = 0xae90000 end_va = 0xaf8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ae90000" filename = "" Region: id = 1268 start_va = 0x7fd84000 end_va = 0x7fd86fff entry_point = 0x0 region_type = private name = "private_0x000000007fd84000" filename = "" Region: id = 1269 start_va = 0xaf90000 end_va = 0xafcffff entry_point = 0x0 region_type = private name = "private_0x000000000af90000" filename = "" Region: id = 1270 start_va = 0xafd0000 end_va = 0xb0cffff entry_point = 0x0 region_type = private name = "private_0x000000000afd0000" filename = "" Region: id = 1271 start_va = 0x7fd81000 end_va = 0x7fd83fff entry_point = 0x0 region_type = private name = "private_0x000000007fd81000" filename = "" Region: id = 1272 start_va = 0xb0d0000 end_va = 0xb10ffff entry_point = 0x0 region_type = private name = "private_0x000000000b0d0000" filename = "" Region: id = 1273 start_va = 0xb110000 end_va = 0xb20ffff entry_point = 0x0 region_type = private name = "private_0x000000000b110000" filename = "" Region: id = 1274 start_va = 0x7fd7e000 end_va = 0x7fd80fff entry_point = 0x0 region_type = private name = "private_0x000000007fd7e000" filename = "" Region: id = 1275 start_va = 0xb210000 end_va = 0xb24ffff entry_point = 0x0 region_type = private name = "private_0x000000000b210000" filename = "" Region: id = 1276 start_va = 0xb250000 end_va = 0xb34ffff entry_point = 0x0 region_type = private name = "private_0x000000000b250000" filename = "" Region: id = 1277 start_va = 0x7fd7b000 end_va = 0x7fd7dfff entry_point = 0x0 region_type = private name = "private_0x000000007fd7b000" filename = "" Region: id = 1278 start_va = 0xb350000 end_va = 0xb38ffff entry_point = 0x0 region_type = private name = "private_0x000000000b350000" filename = "" Region: id = 1279 start_va = 0xb390000 end_va = 0xb48ffff entry_point = 0x0 region_type = private name = "private_0x000000000b390000" filename = "" Region: id = 1280 start_va = 0x7fd78000 end_va = 0x7fd7afff entry_point = 0x0 region_type = private name = "private_0x000000007fd78000" filename = "" Region: id = 1281 start_va = 0xb490000 end_va = 0xb4cffff entry_point = 0x0 region_type = private name = "private_0x000000000b490000" filename = "" Region: id = 1282 start_va = 0xb4d0000 end_va = 0xb5cffff entry_point = 0x0 region_type = private name = "private_0x000000000b4d0000" filename = "" Region: id = 1283 start_va = 0x7fd75000 end_va = 0x7fd77fff entry_point = 0x0 region_type = private name = "private_0x000000007fd75000" filename = "" Region: id = 1284 start_va = 0xb5d0000 end_va = 0xb60ffff entry_point = 0x0 region_type = private name = "private_0x000000000b5d0000" filename = "" Region: id = 1285 start_va = 0xb610000 end_va = 0xb70ffff entry_point = 0x0 region_type = private name = "private_0x000000000b610000" filename = "" Region: id = 1286 start_va = 0x7fd72000 end_va = 0x7fd74fff entry_point = 0x0 region_type = private name = "private_0x000000007fd72000" filename = "" Region: id = 1287 start_va = 0xb710000 end_va = 0xb74ffff entry_point = 0x0 region_type = private name = "private_0x000000000b710000" filename = "" Region: id = 1288 start_va = 0xb750000 end_va = 0xb84ffff entry_point = 0x0 region_type = private name = "private_0x000000000b750000" filename = "" Region: id = 1289 start_va = 0x7fd6f000 end_va = 0x7fd71fff entry_point = 0x0 region_type = private name = "private_0x000000007fd6f000" filename = "" Region: id = 1290 start_va = 0xb850000 end_va = 0xb88ffff entry_point = 0x0 region_type = private name = "private_0x000000000b850000" filename = "" Region: id = 1291 start_va = 0xb890000 end_va = 0xb98ffff entry_point = 0x0 region_type = private name = "private_0x000000000b890000" filename = "" Region: id = 1292 start_va = 0x7fd6c000 end_va = 0x7fd6efff entry_point = 0x0 region_type = private name = "private_0x000000007fd6c000" filename = "" Region: id = 1293 start_va = 0xb990000 end_va = 0xb9cffff entry_point = 0x0 region_type = private name = "private_0x000000000b990000" filename = "" Region: id = 1294 start_va = 0xb9d0000 end_va = 0xbacffff entry_point = 0x0 region_type = private name = "private_0x000000000b9d0000" filename = "" Region: id = 1295 start_va = 0x7fd69000 end_va = 0x7fd6bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd69000" filename = "" Region: id = 1296 start_va = 0xbad0000 end_va = 0xbb0ffff entry_point = 0x0 region_type = private name = "private_0x000000000bad0000" filename = "" Region: id = 1297 start_va = 0xbb10000 end_va = 0xbc0ffff entry_point = 0x0 region_type = private name = "private_0x000000000bb10000" filename = "" Region: id = 1298 start_va = 0x7fd66000 end_va = 0x7fd68fff entry_point = 0x0 region_type = private name = "private_0x000000007fd66000" filename = "" Region: id = 1299 start_va = 0xbc10000 end_va = 0xbc4ffff entry_point = 0x0 region_type = private name = "private_0x000000000bc10000" filename = "" Region: id = 1300 start_va = 0xbc50000 end_va = 0xbd4ffff entry_point = 0x0 region_type = private name = "private_0x000000000bc50000" filename = "" Region: id = 1301 start_va = 0x7fd63000 end_va = 0x7fd65fff entry_point = 0x0 region_type = private name = "private_0x000000007fd63000" filename = "" Region: id = 1302 start_va = 0xbd50000 end_va = 0xbd8ffff entry_point = 0x0 region_type = private name = "private_0x000000000bd50000" filename = "" Region: id = 1303 start_va = 0xbd90000 end_va = 0xbe8ffff entry_point = 0x0 region_type = private name = "private_0x000000000bd90000" filename = "" Region: id = 1304 start_va = 0x7fd60000 end_va = 0x7fd62fff entry_point = 0x0 region_type = private name = "private_0x000000007fd60000" filename = "" Region: id = 1305 start_va = 0xbe90000 end_va = 0xbecffff entry_point = 0x0 region_type = private name = "private_0x000000000be90000" filename = "" Region: id = 1306 start_va = 0xbed0000 end_va = 0xbfcffff entry_point = 0x0 region_type = private name = "private_0x000000000bed0000" filename = "" Region: id = 1307 start_va = 0x7fd5d000 end_va = 0x7fd5ffff entry_point = 0x0 region_type = private name = "private_0x000000007fd5d000" filename = "" Region: id = 1308 start_va = 0xbfd0000 end_va = 0xc00ffff entry_point = 0x0 region_type = private name = "private_0x000000000bfd0000" filename = "" Region: id = 1309 start_va = 0xc010000 end_va = 0xc10ffff entry_point = 0x0 region_type = private name = "private_0x000000000c010000" filename = "" Region: id = 1310 start_va = 0xc110000 end_va = 0xc14ffff entry_point = 0x0 region_type = private name = "private_0x000000000c110000" filename = "" Region: id = 1311 start_va = 0xc150000 end_va = 0xc24ffff entry_point = 0x0 region_type = private name = "private_0x000000000c150000" filename = "" Region: id = 1312 start_va = 0xc250000 end_va = 0xc28ffff entry_point = 0x0 region_type = private name = "private_0x000000000c250000" filename = "" Region: id = 1313 start_va = 0xc290000 end_va = 0xc38ffff entry_point = 0x0 region_type = private name = "private_0x000000000c290000" filename = "" Region: id = 1314 start_va = 0xc390000 end_va = 0xc3cffff entry_point = 0x0 region_type = private name = "private_0x000000000c390000" filename = "" Region: id = 1315 start_va = 0xc3d0000 end_va = 0xc4cffff entry_point = 0x0 region_type = private name = "private_0x000000000c3d0000" filename = "" Region: id = 1316 start_va = 0xc4d0000 end_va = 0xc50ffff entry_point = 0x0 region_type = private name = "private_0x000000000c4d0000" filename = "" Region: id = 1317 start_va = 0xc510000 end_va = 0xc60ffff entry_point = 0x0 region_type = private name = "private_0x000000000c510000" filename = "" Region: id = 1318 start_va = 0x7fd4e000 end_va = 0x7fd50fff entry_point = 0x0 region_type = private name = "private_0x000000007fd4e000" filename = "" Region: id = 1319 start_va = 0x7fd51000 end_va = 0x7fd53fff entry_point = 0x0 region_type = private name = "private_0x000000007fd51000" filename = "" Region: id = 1320 start_va = 0x7fd54000 end_va = 0x7fd56fff entry_point = 0x0 region_type = private name = "private_0x000000007fd54000" filename = "" Region: id = 1321 start_va = 0x7fd57000 end_va = 0x7fd59fff entry_point = 0x0 region_type = private name = "private_0x000000007fd57000" filename = "" Region: id = 1322 start_va = 0x7fd5a000 end_va = 0x7fd5cfff entry_point = 0x0 region_type = private name = "private_0x000000007fd5a000" filename = "" Region: id = 1323 start_va = 0xc610000 end_va = 0xc64ffff entry_point = 0x0 region_type = private name = "private_0x000000000c610000" filename = "" Region: id = 1324 start_va = 0xc650000 end_va = 0xc74ffff entry_point = 0x0 region_type = private name = "private_0x000000000c650000" filename = "" Region: id = 1325 start_va = 0x7fd4b000 end_va = 0x7fd4dfff entry_point = 0x0 region_type = private name = "private_0x000000007fd4b000" filename = "" Region: id = 1326 start_va = 0xc750000 end_va = 0xc78ffff entry_point = 0x0 region_type = private name = "private_0x000000000c750000" filename = "" Region: id = 1327 start_va = 0xc790000 end_va = 0xc88ffff entry_point = 0x0 region_type = private name = "private_0x000000000c790000" filename = "" Region: id = 1328 start_va = 0x7fd48000 end_va = 0x7fd4afff entry_point = 0x0 region_type = private name = "private_0x000000007fd48000" filename = "" Region: id = 1329 start_va = 0xc890000 end_va = 0xc8cffff entry_point = 0x0 region_type = private name = "private_0x000000000c890000" filename = "" Region: id = 1330 start_va = 0xc8d0000 end_va = 0xc9cffff entry_point = 0x0 region_type = private name = "private_0x000000000c8d0000" filename = "" Region: id = 1331 start_va = 0x7fd45000 end_va = 0x7fd47fff entry_point = 0x0 region_type = private name = "private_0x000000007fd45000" filename = "" Region: id = 1332 start_va = 0xc9d0000 end_va = 0xca0ffff entry_point = 0x0 region_type = private name = "private_0x000000000c9d0000" filename = "" Region: id = 1333 start_va = 0xca10000 end_va = 0xcb0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ca10000" filename = "" Region: id = 1334 start_va = 0x7fd42000 end_va = 0x7fd44fff entry_point = 0x0 region_type = private name = "private_0x000000007fd42000" filename = "" Region: id = 1335 start_va = 0xcb10000 end_va = 0xcb4ffff entry_point = 0x0 region_type = private name = "private_0x000000000cb10000" filename = "" Region: id = 1336 start_va = 0xcb50000 end_va = 0xcc4ffff entry_point = 0x0 region_type = private name = "private_0x000000000cb50000" filename = "" Region: id = 1337 start_va = 0x7fd3f000 end_va = 0x7fd41fff entry_point = 0x0 region_type = private name = "private_0x000000007fd3f000" filename = "" Region: id = 1338 start_va = 0xcc50000 end_va = 0xcc8ffff entry_point = 0x0 region_type = private name = "private_0x000000000cc50000" filename = "" Region: id = 1339 start_va = 0xcc90000 end_va = 0xcd8ffff entry_point = 0x0 region_type = private name = "private_0x000000000cc90000" filename = "" Region: id = 1340 start_va = 0x7fd3c000 end_va = 0x7fd3efff entry_point = 0x0 region_type = private name = "private_0x000000007fd3c000" filename = "" Region: id = 1341 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1342 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1343 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1344 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1345 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1346 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1347 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1348 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1349 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1350 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1351 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1352 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1353 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1354 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1355 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 1356 start_va = 0xcd90000 end_va = 0xcdcffff entry_point = 0x0 region_type = private name = "private_0x000000000cd90000" filename = "" Region: id = 1357 start_va = 0xcdd0000 end_va = 0xcecffff entry_point = 0x0 region_type = private name = "private_0x000000000cdd0000" filename = "" Region: id = 1358 start_va = 0x7fd39000 end_va = 0x7fd3bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd39000" filename = "" Region: id = 1359 start_va = 0xced0000 end_va = 0xcf0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ced0000" filename = "" Region: id = 1360 start_va = 0xcf10000 end_va = 0xd00ffff entry_point = 0x0 region_type = private name = "private_0x000000000cf10000" filename = "" Region: id = 1361 start_va = 0xd010000 end_va = 0xd04ffff entry_point = 0x0 region_type = private name = "private_0x000000000d010000" filename = "" Region: id = 1362 start_va = 0xd050000 end_va = 0xd14ffff entry_point = 0x0 region_type = private name = "private_0x000000000d050000" filename = "" Region: id = 1363 start_va = 0x7fd33000 end_va = 0x7fd35fff entry_point = 0x0 region_type = private name = "private_0x000000007fd33000" filename = "" Region: id = 1364 start_va = 0x7fd36000 end_va = 0x7fd38fff entry_point = 0x0 region_type = private name = "private_0x000000007fd36000" filename = "" Region: id = 1365 start_va = 0xd150000 end_va = 0xd18ffff entry_point = 0x0 region_type = private name = "private_0x000000000d150000" filename = "" Region: id = 1366 start_va = 0xd190000 end_va = 0xd28ffff entry_point = 0x0 region_type = private name = "private_0x000000000d190000" filename = "" Region: id = 1367 start_va = 0x7fd30000 end_va = 0x7fd32fff entry_point = 0x0 region_type = private name = "private_0x000000007fd30000" filename = "" Region: id = 1368 start_va = 0xd290000 end_va = 0xd2cffff entry_point = 0x0 region_type = private name = "private_0x000000000d290000" filename = "" Region: id = 1369 start_va = 0xd2d0000 end_va = 0xd3cffff entry_point = 0x0 region_type = private name = "private_0x000000000d2d0000" filename = "" Region: id = 1370 start_va = 0xd3d0000 end_va = 0xd40ffff entry_point = 0x0 region_type = private name = "private_0x000000000d3d0000" filename = "" Region: id = 1371 start_va = 0xd410000 end_va = 0xd50ffff entry_point = 0x0 region_type = private name = "private_0x000000000d410000" filename = "" Region: id = 1372 start_va = 0x7fd2a000 end_va = 0x7fd2cfff entry_point = 0x0 region_type = private name = "private_0x000000007fd2a000" filename = "" Region: id = 1373 start_va = 0x7fd2d000 end_va = 0x7fd2ffff entry_point = 0x0 region_type = private name = "private_0x000000007fd2d000" filename = "" Region: id = 1374 start_va = 0xd510000 end_va = 0xd54ffff entry_point = 0x0 region_type = private name = "private_0x000000000d510000" filename = "" Region: id = 1375 start_va = 0xd550000 end_va = 0xd64ffff entry_point = 0x0 region_type = private name = "private_0x000000000d550000" filename = "" Region: id = 1376 start_va = 0x7fd27000 end_va = 0x7fd29fff entry_point = 0x0 region_type = private name = "private_0x000000007fd27000" filename = "" Region: id = 1377 start_va = 0xd650000 end_va = 0xd68ffff entry_point = 0x0 region_type = private name = "private_0x000000000d650000" filename = "" Region: id = 1378 start_va = 0xd690000 end_va = 0xd78ffff entry_point = 0x0 region_type = private name = "private_0x000000000d690000" filename = "" Region: id = 1379 start_va = 0x7fd24000 end_va = 0x7fd26fff entry_point = 0x0 region_type = private name = "private_0x000000007fd24000" filename = "" Region: id = 1380 start_va = 0xd790000 end_va = 0xd7cffff entry_point = 0x0 region_type = private name = "private_0x000000000d790000" filename = "" Region: id = 1381 start_va = 0xd7d0000 end_va = 0xd8cffff entry_point = 0x0 region_type = private name = "private_0x000000000d7d0000" filename = "" Region: id = 1382 start_va = 0x7fd21000 end_va = 0x7fd23fff entry_point = 0x0 region_type = private name = "private_0x000000007fd21000" filename = "" Region: id = 1383 start_va = 0xd8d0000 end_va = 0xd90ffff entry_point = 0x0 region_type = private name = "private_0x000000000d8d0000" filename = "" Region: id = 1384 start_va = 0xd910000 end_va = 0xda0ffff entry_point = 0x0 region_type = private name = "private_0x000000000d910000" filename = "" Region: id = 1385 start_va = 0x7fd1e000 end_va = 0x7fd20fff entry_point = 0x0 region_type = private name = "private_0x000000007fd1e000" filename = "" Region: id = 1386 start_va = 0xda10000 end_va = 0xda4ffff entry_point = 0x0 region_type = private name = "private_0x000000000da10000" filename = "" Region: id = 1387 start_va = 0xda50000 end_va = 0xdb4ffff entry_point = 0x0 region_type = private name = "private_0x000000000da50000" filename = "" Region: id = 1388 start_va = 0x7fd1b000 end_va = 0x7fd1dfff entry_point = 0x0 region_type = private name = "private_0x000000007fd1b000" filename = "" Region: id = 1389 start_va = 0xdb50000 end_va = 0xdb8ffff entry_point = 0x0 region_type = private name = "private_0x000000000db50000" filename = "" Region: id = 1390 start_va = 0xdb90000 end_va = 0xdc8ffff entry_point = 0x0 region_type = private name = "private_0x000000000db90000" filename = "" Region: id = 1391 start_va = 0x7fd18000 end_va = 0x7fd1afff entry_point = 0x0 region_type = private name = "private_0x000000007fd18000" filename = "" Region: id = 1392 start_va = 0xdc90000 end_va = 0xdccffff entry_point = 0x0 region_type = private name = "private_0x000000000dc90000" filename = "" Region: id = 1393 start_va = 0xdcd0000 end_va = 0xddcffff entry_point = 0x0 region_type = private name = "private_0x000000000dcd0000" filename = "" Region: id = 1394 start_va = 0x7fd15000 end_va = 0x7fd17fff entry_point = 0x0 region_type = private name = "private_0x000000007fd15000" filename = "" Region: id = 1395 start_va = 0xddd0000 end_va = 0xde0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ddd0000" filename = "" Region: id = 1396 start_va = 0xde10000 end_va = 0xdf0ffff entry_point = 0x0 region_type = private name = "private_0x000000000de10000" filename = "" Region: id = 1397 start_va = 0x7fd12000 end_va = 0x7fd14fff entry_point = 0x0 region_type = private name = "private_0x000000007fd12000" filename = "" Region: id = 1398 start_va = 0xdf10000 end_va = 0xdf4ffff entry_point = 0x0 region_type = private name = "private_0x000000000df10000" filename = "" Region: id = 1399 start_va = 0xdf50000 end_va = 0xe04ffff entry_point = 0x0 region_type = private name = "private_0x000000000df50000" filename = "" Region: id = 1400 start_va = 0x7fd0f000 end_va = 0x7fd11fff entry_point = 0x0 region_type = private name = "private_0x000000007fd0f000" filename = "" Region: id = 1401 start_va = 0xe050000 end_va = 0xe08ffff entry_point = 0x0 region_type = private name = "private_0x000000000e050000" filename = "" Region: id = 1402 start_va = 0xe090000 end_va = 0xe18ffff entry_point = 0x0 region_type = private name = "private_0x000000000e090000" filename = "" Region: id = 1403 start_va = 0x7fd0c000 end_va = 0x7fd0efff entry_point = 0x0 region_type = private name = "private_0x000000007fd0c000" filename = "" Region: id = 1404 start_va = 0xe190000 end_va = 0xe1cffff entry_point = 0x0 region_type = private name = "private_0x000000000e190000" filename = "" Region: id = 1405 start_va = 0xe1d0000 end_va = 0xe2cffff entry_point = 0x0 region_type = private name = "private_0x000000000e1d0000" filename = "" Region: id = 1406 start_va = 0x7fd09000 end_va = 0x7fd0bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd09000" filename = "" Region: id = 1407 start_va = 0xe2d0000 end_va = 0xe30ffff entry_point = 0x0 region_type = private name = "private_0x000000000e2d0000" filename = "" Region: id = 1408 start_va = 0xe310000 end_va = 0xe40ffff entry_point = 0x0 region_type = private name = "private_0x000000000e310000" filename = "" Region: id = 1409 start_va = 0xe410000 end_va = 0xe44ffff entry_point = 0x0 region_type = private name = "private_0x000000000e410000" filename = "" Region: id = 1410 start_va = 0xe450000 end_va = 0xe54ffff entry_point = 0x0 region_type = private name = "private_0x000000000e450000" filename = "" Region: id = 1411 start_va = 0x7fd03000 end_va = 0x7fd05fff entry_point = 0x0 region_type = private name = "private_0x000000007fd03000" filename = "" Region: id = 1412 start_va = 0x7fd06000 end_va = 0x7fd08fff entry_point = 0x0 region_type = private name = "private_0x000000007fd06000" filename = "" Region: id = 1413 start_va = 0xe550000 end_va = 0xe58ffff entry_point = 0x0 region_type = private name = "private_0x000000000e550000" filename = "" Region: id = 1414 start_va = 0xe590000 end_va = 0xe68ffff entry_point = 0x0 region_type = private name = "private_0x000000000e590000" filename = "" Region: id = 1415 start_va = 0x7fd00000 end_va = 0x7fd02fff entry_point = 0x0 region_type = private name = "private_0x000000007fd00000" filename = "" Region: id = 1416 start_va = 0xe690000 end_va = 0xe6cffff entry_point = 0x0 region_type = private name = "private_0x000000000e690000" filename = "" Region: id = 1417 start_va = 0xe6d0000 end_va = 0xe7cffff entry_point = 0x0 region_type = private name = "private_0x000000000e6d0000" filename = "" Region: id = 1418 start_va = 0x7fcfd000 end_va = 0x7fcfffff entry_point = 0x0 region_type = private name = "private_0x000000007fcfd000" filename = "" Region: id = 1419 start_va = 0xe7d0000 end_va = 0xe80ffff entry_point = 0x0 region_type = private name = "private_0x000000000e7d0000" filename = "" Region: id = 1420 start_va = 0xe810000 end_va = 0xe90ffff entry_point = 0x0 region_type = private name = "private_0x000000000e810000" filename = "" Region: id = 1421 start_va = 0x7fcfa000 end_va = 0x7fcfcfff entry_point = 0x0 region_type = private name = "private_0x000000007fcfa000" filename = "" Region: id = 1422 start_va = 0xe910000 end_va = 0xe94ffff entry_point = 0x0 region_type = private name = "private_0x000000000e910000" filename = "" Region: id = 1423 start_va = 0xe950000 end_va = 0xea4ffff entry_point = 0x0 region_type = private name = "private_0x000000000e950000" filename = "" Region: id = 1424 start_va = 0x7fcf7000 end_va = 0x7fcf9fff entry_point = 0x0 region_type = private name = "private_0x000000007fcf7000" filename = "" Region: id = 1425 start_va = 0xea50000 end_va = 0xea8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ea50000" filename = "" Region: id = 1426 start_va = 0xea90000 end_va = 0xeb8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ea90000" filename = "" Region: id = 1427 start_va = 0x7fcf4000 end_va = 0x7fcf6fff entry_point = 0x0 region_type = private name = "private_0x000000007fcf4000" filename = "" Region: id = 1428 start_va = 0xeb90000 end_va = 0xebcffff entry_point = 0x0 region_type = private name = "private_0x000000000eb90000" filename = "" Region: id = 1429 start_va = 0xebd0000 end_va = 0xeccffff entry_point = 0x0 region_type = private name = "private_0x000000000ebd0000" filename = "" Region: id = 1430 start_va = 0x7fcf1000 end_va = 0x7fcf3fff entry_point = 0x0 region_type = private name = "private_0x000000007fcf1000" filename = "" Region: id = 1431 start_va = 0xecd0000 end_va = 0xed0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ecd0000" filename = "" Region: id = 1432 start_va = 0xed10000 end_va = 0xee0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ed10000" filename = "" Region: id = 1433 start_va = 0x7fcee000 end_va = 0x7fcf0fff entry_point = 0x0 region_type = private name = "private_0x000000007fcee000" filename = "" Region: id = 1434 start_va = 0xee10000 end_va = 0xee4ffff entry_point = 0x0 region_type = private name = "private_0x000000000ee10000" filename = "" Region: id = 1435 start_va = 0xee50000 end_va = 0xef4ffff entry_point = 0x0 region_type = private name = "private_0x000000000ee50000" filename = "" Region: id = 1436 start_va = 0x7fceb000 end_va = 0x7fcedfff entry_point = 0x0 region_type = private name = "private_0x000000007fceb000" filename = "" Region: id = 1437 start_va = 0xef50000 end_va = 0xef8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ef50000" filename = "" Region: id = 1438 start_va = 0xef90000 end_va = 0xf08ffff entry_point = 0x0 region_type = private name = "private_0x000000000ef90000" filename = "" Region: id = 1439 start_va = 0x7fce8000 end_va = 0x7fceafff entry_point = 0x0 region_type = private name = "private_0x000000007fce8000" filename = "" Region: id = 1440 start_va = 0xf090000 end_va = 0xf0cffff entry_point = 0x0 region_type = private name = "private_0x000000000f090000" filename = "" Region: id = 1441 start_va = 0xf0d0000 end_va = 0xf1cffff entry_point = 0x0 region_type = private name = "private_0x000000000f0d0000" filename = "" Region: id = 1442 start_va = 0x7fce5000 end_va = 0x7fce7fff entry_point = 0x0 region_type = private name = "private_0x000000007fce5000" filename = "" Region: id = 1443 start_va = 0xf1d0000 end_va = 0xf20ffff entry_point = 0x0 region_type = private name = "private_0x000000000f1d0000" filename = "" Region: id = 1444 start_va = 0xf210000 end_va = 0xf30ffff entry_point = 0x0 region_type = private name = "private_0x000000000f210000" filename = "" Region: id = 1445 start_va = 0x7fce2000 end_va = 0x7fce4fff entry_point = 0x0 region_type = private name = "private_0x000000007fce2000" filename = "" Region: id = 1446 start_va = 0xf310000 end_va = 0xf34ffff entry_point = 0x0 region_type = private name = "private_0x000000000f310000" filename = "" Region: id = 1447 start_va = 0xf350000 end_va = 0xf44ffff entry_point = 0x0 region_type = private name = "private_0x000000000f350000" filename = "" Region: id = 1448 start_va = 0xf450000 end_va = 0xf48ffff entry_point = 0x0 region_type = private name = "private_0x000000000f450000" filename = "" Region: id = 1449 start_va = 0xf490000 end_va = 0xf58ffff entry_point = 0x0 region_type = private name = "private_0x000000000f490000" filename = "" Region: id = 1450 start_va = 0xf590000 end_va = 0xf68ffff entry_point = 0xf590000 region_type = mapped_file name = "boot.sdi id-br3n0g72wub8cejt.lyas" filename = "\\Recovery\\WindowsRE\\boot.sdi id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\recovery\\windowsre\\boot.sdi id-br3n0g72wub8cejt.lyas") Region: id = 1451 start_va = 0x7fcdc000 end_va = 0x7fcdefff entry_point = 0x0 region_type = private name = "private_0x000000007fcdc000" filename = "" Region: id = 1452 start_va = 0x7fcdf000 end_va = 0x7fce1fff entry_point = 0x0 region_type = private name = "private_0x000000007fcdf000" filename = "" Region: id = 1453 start_va = 0xf690000 end_va = 0xf6cffff entry_point = 0x0 region_type = private name = "private_0x000000000f690000" filename = "" Region: id = 1454 start_va = 0xf6d0000 end_va = 0xf7cffff entry_point = 0x0 region_type = private name = "private_0x000000000f6d0000" filename = "" Region: id = 1455 start_va = 0xf7d0000 end_va = 0xf80ffff entry_point = 0x0 region_type = private name = "private_0x000000000f7d0000" filename = "" Region: id = 1456 start_va = 0xf810000 end_va = 0xf90ffff entry_point = 0x0 region_type = private name = "private_0x000000000f810000" filename = "" Region: id = 1457 start_va = 0xf910000 end_va = 0xf94ffff entry_point = 0x0 region_type = private name = "private_0x000000000f910000" filename = "" Region: id = 1458 start_va = 0xf950000 end_va = 0xfa4ffff entry_point = 0x0 region_type = private name = "private_0x000000000f950000" filename = "" Region: id = 1459 start_va = 0xfa50000 end_va = 0xfa8ffff entry_point = 0x0 region_type = private name = "private_0x000000000fa50000" filename = "" Region: id = 1460 start_va = 0xfa90000 end_va = 0xfb8ffff entry_point = 0x0 region_type = private name = "private_0x000000000fa90000" filename = "" Region: id = 1461 start_va = 0x7fcd0000 end_va = 0x7fcd2fff entry_point = 0x0 region_type = private name = "private_0x000000007fcd0000" filename = "" Region: id = 1462 start_va = 0x7fcd3000 end_va = 0x7fcd5fff entry_point = 0x0 region_type = private name = "private_0x000000007fcd3000" filename = "" Region: id = 1463 start_va = 0x7fcd6000 end_va = 0x7fcd8fff entry_point = 0x0 region_type = private name = "private_0x000000007fcd6000" filename = "" Region: id = 1464 start_va = 0x7fcd9000 end_va = 0x7fcdbfff entry_point = 0x0 region_type = private name = "private_0x000000007fcd9000" filename = "" Region: id = 1465 start_va = 0xfb90000 end_va = 0xfbcffff entry_point = 0x0 region_type = private name = "private_0x000000000fb90000" filename = "" Region: id = 1466 start_va = 0xfbd0000 end_va = 0xfccffff entry_point = 0x0 region_type = private name = "private_0x000000000fbd0000" filename = "" Region: id = 1467 start_va = 0x7fccd000 end_va = 0x7fccffff entry_point = 0x0 region_type = private name = "private_0x000000007fccd000" filename = "" Region: id = 1468 start_va = 0xfcd0000 end_va = 0xfd0ffff entry_point = 0x0 region_type = private name = "private_0x000000000fcd0000" filename = "" Region: id = 1469 start_va = 0xfd10000 end_va = 0xfe0ffff entry_point = 0x0 region_type = private name = "private_0x000000000fd10000" filename = "" Region: id = 1470 start_va = 0x7fcca000 end_va = 0x7fcccfff entry_point = 0x0 region_type = private name = "private_0x000000007fcca000" filename = "" Region: id = 1471 start_va = 0xfe10000 end_va = 0xfe4ffff entry_point = 0x0 region_type = private name = "private_0x000000000fe10000" filename = "" Region: id = 1472 start_va = 0xfe50000 end_va = 0xff4ffff entry_point = 0x0 region_type = private name = "private_0x000000000fe50000" filename = "" Region: id = 1473 start_va = 0x7fcc7000 end_va = 0x7fcc9fff entry_point = 0x0 region_type = private name = "private_0x000000007fcc7000" filename = "" Region: id = 1474 start_va = 0xff50000 end_va = 0xff8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ff50000" filename = "" Region: id = 1475 start_va = 0xff90000 end_va = 0x1008ffff entry_point = 0x0 region_type = private name = "private_0x000000000ff90000" filename = "" Region: id = 1476 start_va = 0x7fcc4000 end_va = 0x7fcc6fff entry_point = 0x0 region_type = private name = "private_0x000000007fcc4000" filename = "" Region: id = 1477 start_va = 0x10090000 end_va = 0x100cffff entry_point = 0x0 region_type = private name = "private_0x0000000010090000" filename = "" Region: id = 1478 start_va = 0x100d0000 end_va = 0x101cffff entry_point = 0x0 region_type = private name = "private_0x00000000100d0000" filename = "" Region: id = 1479 start_va = 0x7fcc1000 end_va = 0x7fcc3fff entry_point = 0x0 region_type = private name = "private_0x000000007fcc1000" filename = "" Region: id = 1480 start_va = 0x101d0000 end_va = 0x1020ffff entry_point = 0x0 region_type = private name = "private_0x00000000101d0000" filename = "" Region: id = 1481 start_va = 0x10210000 end_va = 0x1030ffff entry_point = 0x0 region_type = private name = "private_0x0000000010210000" filename = "" Region: id = 1482 start_va = 0x7fcbe000 end_va = 0x7fcc0fff entry_point = 0x0 region_type = private name = "private_0x000000007fcbe000" filename = "" Region: id = 1483 start_va = 0x10310000 end_va = 0x1034ffff entry_point = 0x0 region_type = private name = "private_0x0000000010310000" filename = "" Region: id = 1484 start_va = 0x10350000 end_va = 0x1044ffff entry_point = 0x0 region_type = private name = "private_0x0000000010350000" filename = "" Region: id = 1485 start_va = 0x7fcbb000 end_va = 0x7fcbdfff entry_point = 0x0 region_type = private name = "private_0x000000007fcbb000" filename = "" Region: id = 1486 start_va = 0x10450000 end_va = 0x1048ffff entry_point = 0x0 region_type = private name = "private_0x0000000010450000" filename = "" Region: id = 1487 start_va = 0x10490000 end_va = 0x1058ffff entry_point = 0x0 region_type = private name = "private_0x0000000010490000" filename = "" Region: id = 1488 start_va = 0x10590000 end_va = 0x1155ffff entry_point = 0x0 region_type = private name = "private_0x0000000010590000" filename = "" Region: id = 1489 start_va = 0x7fcb8000 end_va = 0x7fcbafff entry_point = 0x0 region_type = private name = "private_0x000000007fcb8000" filename = "" Region: id = 1490 start_va = 0x11560000 end_va = 0x1159ffff entry_point = 0x0 region_type = private name = "private_0x0000000011560000" filename = "" Region: id = 1491 start_va = 0x115a0000 end_va = 0x1169ffff entry_point = 0x0 region_type = private name = "private_0x00000000115a0000" filename = "" Region: id = 1492 start_va = 0x7fcb5000 end_va = 0x7fcb7fff entry_point = 0x0 region_type = private name = "private_0x000000007fcb5000" filename = "" Region: id = 1493 start_va = 0x116a0000 end_va = 0x116dffff entry_point = 0x0 region_type = private name = "private_0x00000000116a0000" filename = "" Region: id = 1494 start_va = 0x116e0000 end_va = 0x117dffff entry_point = 0x0 region_type = private name = "private_0x00000000116e0000" filename = "" Region: id = 1495 start_va = 0x7fcb2000 end_va = 0x7fcb4fff entry_point = 0x0 region_type = private name = "private_0x000000007fcb2000" filename = "" Region: id = 1496 start_va = 0x117e0000 end_va = 0x1181ffff entry_point = 0x0 region_type = private name = "private_0x00000000117e0000" filename = "" Region: id = 1497 start_va = 0x11820000 end_va = 0x1191ffff entry_point = 0x0 region_type = private name = "private_0x0000000011820000" filename = "" Region: id = 1498 start_va = 0x7fcaf000 end_va = 0x7fcb1fff entry_point = 0x0 region_type = private name = "private_0x000000007fcaf000" filename = "" Region: id = 1499 start_va = 0x11920000 end_va = 0x1195ffff entry_point = 0x0 region_type = private name = "private_0x0000000011920000" filename = "" Region: id = 1500 start_va = 0x11960000 end_va = 0x11a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000011960000" filename = "" Region: id = 1501 start_va = 0x7fcac000 end_va = 0x7fcaefff entry_point = 0x0 region_type = private name = "private_0x000000007fcac000" filename = "" Region: id = 1502 start_va = 0x11a60000 end_va = 0x11a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000011a60000" filename = "" Region: id = 1503 start_va = 0x11aa0000 end_va = 0x11b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000011aa0000" filename = "" Region: id = 1504 start_va = 0x7fca9000 end_va = 0x7fcabfff entry_point = 0x0 region_type = private name = "private_0x000000007fca9000" filename = "" Region: id = 1505 start_va = 0x11ba0000 end_va = 0x11bdffff entry_point = 0x0 region_type = private name = "private_0x0000000011ba0000" filename = "" Region: id = 1506 start_va = 0x11be0000 end_va = 0x11cdffff entry_point = 0x0 region_type = private name = "private_0x0000000011be0000" filename = "" Region: id = 1507 start_va = 0x7fca6000 end_va = 0x7fca8fff entry_point = 0x0 region_type = private name = "private_0x000000007fca6000" filename = "" Region: id = 1508 start_va = 0x11ce0000 end_va = 0x11d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000011ce0000" filename = "" Region: id = 1509 start_va = 0x11d20000 end_va = 0x11e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000011d20000" filename = "" Region: id = 1510 start_va = 0x7fca3000 end_va = 0x7fca5fff entry_point = 0x0 region_type = private name = "private_0x000000007fca3000" filename = "" Region: id = 1511 start_va = 0x11e20000 end_va = 0x11e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000011e20000" filename = "" Region: id = 1512 start_va = 0x11e60000 end_va = 0x11f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000011e60000" filename = "" Region: id = 1513 start_va = 0x7fca0000 end_va = 0x7fca2fff entry_point = 0x0 region_type = private name = "private_0x000000007fca0000" filename = "" Region: id = 1514 start_va = 0x11f60000 end_va = 0x11f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000011f60000" filename = "" Region: id = 1515 start_va = 0x11fa0000 end_va = 0x1209ffff entry_point = 0x0 region_type = private name = "private_0x0000000011fa0000" filename = "" Region: id = 1516 start_va = 0x7fc9d000 end_va = 0x7fc9ffff entry_point = 0x0 region_type = private name = "private_0x000000007fc9d000" filename = "" Region: id = 1517 start_va = 0x120a0000 end_va = 0x120dffff entry_point = 0x0 region_type = private name = "private_0x00000000120a0000" filename = "" Region: id = 1518 start_va = 0x120e0000 end_va = 0x121dffff entry_point = 0x0 region_type = private name = "private_0x00000000120e0000" filename = "" Region: id = 1519 start_va = 0x7fc9a000 end_va = 0x7fc9cfff entry_point = 0x0 region_type = private name = "private_0x000000007fc9a000" filename = "" Region: id = 1520 start_va = 0x121e0000 end_va = 0x1221ffff entry_point = 0x0 region_type = private name = "private_0x00000000121e0000" filename = "" Region: id = 1521 start_va = 0x12220000 end_va = 0x1231ffff entry_point = 0x0 region_type = private name = "private_0x0000000012220000" filename = "" Region: id = 1522 start_va = 0x12320000 end_va = 0x1235ffff entry_point = 0x0 region_type = private name = "private_0x0000000012320000" filename = "" Region: id = 1523 start_va = 0x12360000 end_va = 0x1245ffff entry_point = 0x0 region_type = private name = "private_0x0000000012360000" filename = "" Region: id = 1524 start_va = 0x12460000 end_va = 0x1249ffff entry_point = 0x0 region_type = private name = "private_0x0000000012460000" filename = "" Region: id = 1525 start_va = 0x124a0000 end_va = 0x1259ffff entry_point = 0x0 region_type = private name = "private_0x00000000124a0000" filename = "" Region: id = 1526 start_va = 0x125a0000 end_va = 0x125dffff entry_point = 0x0 region_type = private name = "private_0x00000000125a0000" filename = "" Region: id = 1527 start_va = 0x125e0000 end_va = 0x126dffff entry_point = 0x0 region_type = private name = "private_0x00000000125e0000" filename = "" Region: id = 1528 start_va = 0x126e0000 end_va = 0x1271ffff entry_point = 0x0 region_type = private name = "private_0x00000000126e0000" filename = "" Region: id = 1529 start_va = 0x12720000 end_va = 0x1281ffff entry_point = 0x0 region_type = private name = "private_0x0000000012720000" filename = "" Region: id = 1530 start_va = 0x7fc8b000 end_va = 0x7fc8dfff entry_point = 0x0 region_type = private name = "private_0x000000007fc8b000" filename = "" Region: id = 1531 start_va = 0x7fc8e000 end_va = 0x7fc90fff entry_point = 0x0 region_type = private name = "private_0x000000007fc8e000" filename = "" Region: id = 1532 start_va = 0x7fc91000 end_va = 0x7fc93fff entry_point = 0x0 region_type = private name = "private_0x000000007fc91000" filename = "" Region: id = 1533 start_va = 0x7fc94000 end_va = 0x7fc96fff entry_point = 0x0 region_type = private name = "private_0x000000007fc94000" filename = "" Region: id = 1534 start_va = 0x7fc97000 end_va = 0x7fc99fff entry_point = 0x0 region_type = private name = "private_0x000000007fc97000" filename = "" Region: id = 1535 start_va = 0x12820000 end_va = 0x1285ffff entry_point = 0x0 region_type = private name = "private_0x0000000012820000" filename = "" Region: id = 1536 start_va = 0x12860000 end_va = 0x1295ffff entry_point = 0x0 region_type = private name = "private_0x0000000012860000" filename = "" Region: id = 1537 start_va = 0x12960000 end_va = 0x12a5ffff entry_point = 0x12960000 region_type = mapped_file name = "appxmanifest.xml id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Microsoft Office\\AppXManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml id-br3n0g72wub8cejt.lyas") Region: id = 1538 start_va = 0x7fc88000 end_va = 0x7fc8afff entry_point = 0x0 region_type = private name = "private_0x000000007fc88000" filename = "" Region: id = 1539 start_va = 0x12a60000 end_va = 0x12a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000012a60000" filename = "" Region: id = 1540 start_va = 0x12aa0000 end_va = 0x12b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000012aa0000" filename = "" Region: id = 1541 start_va = 0x12ba0000 end_va = 0x12bdffff entry_point = 0x0 region_type = private name = "private_0x0000000012ba0000" filename = "" Region: id = 1542 start_va = 0x12be0000 end_va = 0x12cdffff entry_point = 0x0 region_type = private name = "private_0x0000000012be0000" filename = "" Region: id = 1543 start_va = 0x12ce0000 end_va = 0x12d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000012ce0000" filename = "" Region: id = 1544 start_va = 0x12d20000 end_va = 0x12e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000012d20000" filename = "" Region: id = 1545 start_va = 0x12e20000 end_va = 0x12e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000012e20000" filename = "" Region: id = 1546 start_va = 0x12e60000 end_va = 0x12f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000012e60000" filename = "" Region: id = 1547 start_va = 0x12f60000 end_va = 0x12f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000012f60000" filename = "" Region: id = 1548 start_va = 0x12fa0000 end_va = 0x1309ffff entry_point = 0x0 region_type = private name = "private_0x0000000012fa0000" filename = "" Region: id = 1549 start_va = 0x130a0000 end_va = 0x130dffff entry_point = 0x0 region_type = private name = "private_0x00000000130a0000" filename = "" Region: id = 1550 start_va = 0x130e0000 end_va = 0x131dffff entry_point = 0x0 region_type = private name = "private_0x00000000130e0000" filename = "" Region: id = 1551 start_va = 0x131e0000 end_va = 0x1321ffff entry_point = 0x0 region_type = private name = "private_0x00000000131e0000" filename = "" Region: id = 1552 start_va = 0x13220000 end_va = 0x1331ffff entry_point = 0x0 region_type = private name = "private_0x0000000013220000" filename = "" Region: id = 1553 start_va = 0x7fc73000 end_va = 0x7fc75fff entry_point = 0x0 region_type = private name = "private_0x000000007fc73000" filename = "" Region: id = 1554 start_va = 0x7fc76000 end_va = 0x7fc78fff entry_point = 0x0 region_type = private name = "private_0x000000007fc76000" filename = "" Region: id = 1555 start_va = 0x7fc79000 end_va = 0x7fc7bfff entry_point = 0x0 region_type = private name = "private_0x000000007fc79000" filename = "" Region: id = 1556 start_va = 0x7fc7c000 end_va = 0x7fc7efff entry_point = 0x0 region_type = private name = "private_0x000000007fc7c000" filename = "" Region: id = 1557 start_va = 0x7fc7f000 end_va = 0x7fc81fff entry_point = 0x0 region_type = private name = "private_0x000000007fc7f000" filename = "" Region: id = 1558 start_va = 0x7fc82000 end_va = 0x7fc84fff entry_point = 0x0 region_type = private name = "private_0x000000007fc82000" filename = "" Region: id = 1559 start_va = 0x7fc85000 end_va = 0x7fc87fff entry_point = 0x0 region_type = private name = "private_0x000000007fc85000" filename = "" Region: id = 1560 start_va = 0x13320000 end_va = 0x1335ffff entry_point = 0x0 region_type = private name = "private_0x0000000013320000" filename = "" Region: id = 1561 start_va = 0x13360000 end_va = 0x1345ffff entry_point = 0x0 region_type = private name = "private_0x0000000013360000" filename = "" Region: id = 1562 start_va = 0x7fc70000 end_va = 0x7fc72fff entry_point = 0x0 region_type = private name = "private_0x000000007fc70000" filename = "" Region: id = 1563 start_va = 0x13460000 end_va = 0x1349ffff entry_point = 0x0 region_type = private name = "private_0x0000000013460000" filename = "" Region: id = 1564 start_va = 0x134a0000 end_va = 0x1359ffff entry_point = 0x0 region_type = private name = "private_0x00000000134a0000" filename = "" Region: id = 1565 start_va = 0x7fc6d000 end_va = 0x7fc6ffff entry_point = 0x0 region_type = private name = "private_0x000000007fc6d000" filename = "" Region: id = 1566 start_va = 0x135a0000 end_va = 0x135dffff entry_point = 0x0 region_type = private name = "private_0x00000000135a0000" filename = "" Region: id = 1567 start_va = 0x135e0000 end_va = 0x136dffff entry_point = 0x0 region_type = private name = "private_0x00000000135e0000" filename = "" Region: id = 1568 start_va = 0x7fc6a000 end_va = 0x7fc6cfff entry_point = 0x0 region_type = private name = "private_0x000000007fc6a000" filename = "" Region: id = 1569 start_va = 0x136e0000 end_va = 0x1371ffff entry_point = 0x0 region_type = private name = "private_0x00000000136e0000" filename = "" Region: id = 1570 start_va = 0x13720000 end_va = 0x1381ffff entry_point = 0x0 region_type = private name = "private_0x0000000013720000" filename = "" Region: id = 1571 start_va = 0x7fc67000 end_va = 0x7fc69fff entry_point = 0x0 region_type = private name = "private_0x000000007fc67000" filename = "" Region: id = 1572 start_va = 0x13820000 end_va = 0x1385ffff entry_point = 0x0 region_type = private name = "private_0x0000000013820000" filename = "" Region: id = 1573 start_va = 0x13860000 end_va = 0x1395ffff entry_point = 0x0 region_type = private name = "private_0x0000000013860000" filename = "" Region: id = 1574 start_va = 0x7fc64000 end_va = 0x7fc66fff entry_point = 0x0 region_type = private name = "private_0x000000007fc64000" filename = "" Region: id = 1575 start_va = 0x13960000 end_va = 0x1399ffff entry_point = 0x0 region_type = private name = "private_0x0000000013960000" filename = "" Region: id = 1576 start_va = 0x139a0000 end_va = 0x13a9ffff entry_point = 0x0 region_type = private name = "private_0x00000000139a0000" filename = "" Region: id = 1577 start_va = 0x7fc61000 end_va = 0x7fc63fff entry_point = 0x0 region_type = private name = "private_0x000000007fc61000" filename = "" Region: id = 1578 start_va = 0x13aa0000 end_va = 0x13adffff entry_point = 0x0 region_type = private name = "private_0x0000000013aa0000" filename = "" Region: id = 1579 start_va = 0x13ae0000 end_va = 0x13bdffff entry_point = 0x0 region_type = private name = "private_0x0000000013ae0000" filename = "" Region: id = 1580 start_va = 0x7fc5e000 end_va = 0x7fc60fff entry_point = 0x0 region_type = private name = "private_0x000000007fc5e000" filename = "" Region: id = 1581 start_va = 0x31d0000 end_va = 0x31e2fff entry_point = 0x31d0000 region_type = mapped_file name = "charity.exe" filename = "\\Program Files\\Microsoft Office 15\\charity.exe" (normalized: "c:\\program files\\microsoft office 15\\charity.exe") Region: id = 1582 start_va = 0x13be0000 end_va = 0x13c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000013be0000" filename = "" Region: id = 1583 start_va = 0x13c20000 end_va = 0x13d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000013c20000" filename = "" Region: id = 1584 start_va = 0x7fc5b000 end_va = 0x7fc5dfff entry_point = 0x0 region_type = private name = "private_0x000000007fc5b000" filename = "" Region: id = 1585 start_va = 0x12960000 end_va = 0x1299ffff entry_point = 0x12960000 region_type = mapped_file name = "ntuser.dat id-br3n0g72wub8cejt.lyas" filename = "\\Users\\Default\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat id-br3n0g72wub8cejt.lyas") Region: id = 1586 start_va = 0x13d20000 end_va = 0x13d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000013d20000" filename = "" Region: id = 1587 start_va = 0x13d60000 end_va = 0x13e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000013d60000" filename = "" Region: id = 1588 start_va = 0x7fc58000 end_va = 0x7fc5afff entry_point = 0x0 region_type = private name = "private_0x000000007fc58000" filename = "" Region: id = 1589 start_va = 0x31d0000 end_va = 0x31e2fff entry_point = 0x31d0000 region_type = mapped_file name = "commands.exe" filename = "\\Program Files\\Reference Assemblies\\commands.exe" (normalized: "c:\\program files\\reference assemblies\\commands.exe") Region: id = 1590 start_va = 0x129a0000 end_va = 0x129dffff entry_point = 0x0 region_type = private name = "private_0x00000000129a0000" filename = "" Region: id = 1591 start_va = 0x13e60000 end_va = 0x13f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000013e60000" filename = "" Region: id = 1592 start_va = 0x7fc55000 end_va = 0x7fc57fff entry_point = 0x0 region_type = private name = "private_0x000000007fc55000" filename = "" Region: id = 1593 start_va = 0x31d0000 end_va = 0x31e2fff entry_point = 0x31d0000 region_type = mapped_file name = "just_instant_bulgaria.exe" filename = "\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe" (normalized: "c:\\program files\\uninstall information\\just_instant_bulgaria.exe") Region: id = 1594 start_va = 0x30c0000 end_va = 0x30c0fff entry_point = 0x30c0000 region_type = mapped_file name = "regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag id-br3n0g72wub8cejt.lyas") Region: id = 1595 start_va = 0x129e0000 end_va = 0x12a1ffff entry_point = 0x0 region_type = private name = "private_0x00000000129e0000" filename = "" Region: id = 1596 start_va = 0x13f60000 end_va = 0x1405ffff entry_point = 0x0 region_type = private name = "private_0x0000000013f60000" filename = "" Region: id = 1597 start_va = 0x7fc52000 end_va = 0x7fc54fff entry_point = 0x0 region_type = private name = "private_0x000000007fc52000" filename = "" Region: id = 1598 start_va = 0x31d0000 end_va = 0x31d0fff entry_point = 0x31d0000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini") Region: id = 1599 start_va = 0x12a20000 end_va = 0x12a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000012a20000" filename = "" Region: id = 1600 start_va = 0x14060000 end_va = 0x1415ffff entry_point = 0x0 region_type = private name = "private_0x0000000014060000" filename = "" Region: id = 1601 start_va = 0x7fc4f000 end_va = 0x7fc51fff entry_point = 0x0 region_type = private name = "private_0x000000007fc4f000" filename = "" Region: id = 1602 start_va = 0x14160000 end_va = 0x1419ffff entry_point = 0x0 region_type = private name = "private_0x0000000014160000" filename = "" Region: id = 1603 start_va = 0x141a0000 end_va = 0x1429ffff entry_point = 0x0 region_type = private name = "private_0x00000000141a0000" filename = "" Region: id = 1604 start_va = 0x7fc4c000 end_va = 0x7fc4efff entry_point = 0x0 region_type = private name = "private_0x000000007fc4c000" filename = "" Region: id = 1605 start_va = 0x142a0000 end_va = 0x142dffff entry_point = 0x0 region_type = private name = "private_0x00000000142a0000" filename = "" Region: id = 1606 start_va = 0x142e0000 end_va = 0x143dffff entry_point = 0x0 region_type = private name = "private_0x00000000142e0000" filename = "" Region: id = 1607 start_va = 0x7fc49000 end_va = 0x7fc4bfff entry_point = 0x0 region_type = private name = "private_0x000000007fc49000" filename = "" Region: id = 1608 start_va = 0x143e0000 end_va = 0x1441ffff entry_point = 0x0 region_type = private name = "private_0x00000000143e0000" filename = "" Region: id = 1609 start_va = 0x14420000 end_va = 0x1451ffff entry_point = 0x0 region_type = private name = "private_0x0000000014420000" filename = "" Region: id = 1610 start_va = 0x7fc46000 end_va = 0x7fc48fff entry_point = 0x0 region_type = private name = "private_0x000000007fc46000" filename = "" Region: id = 1611 start_va = 0x14520000 end_va = 0x1455ffff entry_point = 0x0 region_type = private name = "private_0x0000000014520000" filename = "" Region: id = 1612 start_va = 0x14560000 end_va = 0x1465ffff entry_point = 0x0 region_type = private name = "private_0x0000000014560000" filename = "" Region: id = 1613 start_va = 0x7fc43000 end_va = 0x7fc45fff entry_point = 0x0 region_type = private name = "private_0x000000007fc43000" filename = "" Region: id = 1614 start_va = 0x14660000 end_va = 0x1469ffff entry_point = 0x0 region_type = private name = "private_0x0000000014660000" filename = "" Region: id = 1615 start_va = 0x146a0000 end_va = 0x1479ffff entry_point = 0x0 region_type = private name = "private_0x00000000146a0000" filename = "" Region: id = 1616 start_va = 0x7fc40000 end_va = 0x7fc42fff entry_point = 0x0 region_type = private name = "private_0x000000007fc40000" filename = "" Region: id = 1617 start_va = 0x147a0000 end_va = 0x147dffff entry_point = 0x0 region_type = private name = "private_0x00000000147a0000" filename = "" Region: id = 1618 start_va = 0x147e0000 end_va = 0x148dffff entry_point = 0x0 region_type = private name = "private_0x00000000147e0000" filename = "" Region: id = 1619 start_va = 0x7fc3d000 end_va = 0x7fc3ffff entry_point = 0x0 region_type = private name = "private_0x000000007fc3d000" filename = "" Region: id = 1620 start_va = 0x148e0000 end_va = 0x1491ffff entry_point = 0x0 region_type = private name = "private_0x00000000148e0000" filename = "" Region: id = 1621 start_va = 0x14920000 end_va = 0x14a1ffff entry_point = 0x0 region_type = private name = "private_0x0000000014920000" filename = "" Region: id = 1622 start_va = 0x7fc3a000 end_va = 0x7fc3cfff entry_point = 0x0 region_type = private name = "private_0x000000007fc3a000" filename = "" Region: id = 1623 start_va = 0x14a20000 end_va = 0x14a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000014a20000" filename = "" Region: id = 1624 start_va = 0x14a60000 end_va = 0x14b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000014a60000" filename = "" Region: id = 1625 start_va = 0x7fc37000 end_va = 0x7fc39fff entry_point = 0x0 region_type = private name = "private_0x000000007fc37000" filename = "" Region: id = 1626 start_va = 0x14b60000 end_va = 0x14b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000014b60000" filename = "" Region: id = 1627 start_va = 0x14ba0000 end_va = 0x14c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000014ba0000" filename = "" Region: id = 1628 start_va = 0x7fc34000 end_va = 0x7fc36fff entry_point = 0x0 region_type = private name = "private_0x000000007fc34000" filename = "" Region: id = 1629 start_va = 0x14ca0000 end_va = 0x14cdffff entry_point = 0x0 region_type = private name = "private_0x0000000014ca0000" filename = "" Region: id = 1630 start_va = 0x14ce0000 end_va = 0x14ddffff entry_point = 0x0 region_type = private name = "private_0x0000000014ce0000" filename = "" Region: id = 1631 start_va = 0x7fc31000 end_va = 0x7fc33fff entry_point = 0x0 region_type = private name = "private_0x000000007fc31000" filename = "" Region: id = 1632 start_va = 0x14de0000 end_va = 0x14e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000014de0000" filename = "" Region: id = 1633 start_va = 0x14e20000 end_va = 0x14f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000014e20000" filename = "" Region: id = 1634 start_va = 0x7fc2e000 end_va = 0x7fc30fff entry_point = 0x0 region_type = private name = "private_0x000000007fc2e000" filename = "" Region: id = 1635 start_va = 0x14f20000 end_va = 0x14f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000014f20000" filename = "" Region: id = 1636 start_va = 0x14f60000 end_va = 0x1505ffff entry_point = 0x0 region_type = private name = "private_0x0000000014f60000" filename = "" Region: id = 1637 start_va = 0x7fc2b000 end_va = 0x7fc2dfff entry_point = 0x0 region_type = private name = "private_0x000000007fc2b000" filename = "" Region: id = 1638 start_va = 0x15060000 end_va = 0x1509ffff entry_point = 0x0 region_type = private name = "private_0x0000000015060000" filename = "" Region: id = 1639 start_va = 0x150a0000 end_va = 0x1519ffff entry_point = 0x0 region_type = private name = "private_0x00000000150a0000" filename = "" Region: id = 1640 start_va = 0x7fc28000 end_va = 0x7fc2afff entry_point = 0x0 region_type = private name = "private_0x000000007fc28000" filename = "" Region: id = 1653 start_va = 0x151a0000 end_va = 0x151dffff entry_point = 0x0 region_type = private name = "private_0x00000000151a0000" filename = "" Region: id = 1654 start_va = 0x151e0000 end_va = 0x152dffff entry_point = 0x0 region_type = private name = "private_0x00000000151e0000" filename = "" Region: id = 1655 start_va = 0x74370000 end_va = 0x74389fff entry_point = 0x74370000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 1656 start_va = 0x7fc25000 end_va = 0x7fc27fff entry_point = 0x0 region_type = private name = "private_0x000000007fc25000" filename = "" Region: id = 1657 start_va = 0x31d0000 end_va = 0x31d4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031d0000" filename = "" Region: id = 1658 start_va = 0x152e0000 end_va = 0x1531ffff entry_point = 0x0 region_type = private name = "private_0x00000000152e0000" filename = "" Region: id = 1659 start_va = 0x15320000 end_va = 0x1541ffff entry_point = 0x0 region_type = private name = "private_0x0000000015320000" filename = "" Region: id = 1660 start_va = 0x7fc22000 end_va = 0x7fc24fff entry_point = 0x0 region_type = private name = "private_0x000000007fc22000" filename = "" Region: id = 1661 start_va = 0x15420000 end_va = 0x1545ffff entry_point = 0x0 region_type = private name = "private_0x0000000015420000" filename = "" Region: id = 1662 start_va = 0x15460000 end_va = 0x1555ffff entry_point = 0x0 region_type = private name = "private_0x0000000015460000" filename = "" Region: id = 1663 start_va = 0x7fc1f000 end_va = 0x7fc21fff entry_point = 0x0 region_type = private name = "private_0x000000007fc1f000" filename = "" Region: id = 1664 start_va = 0x15560000 end_va = 0x1559ffff entry_point = 0x0 region_type = private name = "private_0x0000000015560000" filename = "" Region: id = 1665 start_va = 0x155a0000 end_va = 0x1569ffff entry_point = 0x0 region_type = private name = "private_0x00000000155a0000" filename = "" Region: id = 1666 start_va = 0x7fc1c000 end_va = 0x7fc1efff entry_point = 0x0 region_type = private name = "private_0x000000007fc1c000" filename = "" Region: id = 1667 start_va = 0x156a0000 end_va = 0x156dffff entry_point = 0x0 region_type = private name = "private_0x00000000156a0000" filename = "" Region: id = 1668 start_va = 0x156e0000 end_va = 0x157dffff entry_point = 0x0 region_type = private name = "private_0x00000000156e0000" filename = "" Region: id = 1669 start_va = 0x7fc19000 end_va = 0x7fc1bfff entry_point = 0x0 region_type = private name = "private_0x000000007fc19000" filename = "" Region: id = 1670 start_va = 0x157e0000 end_va = 0x1581ffff entry_point = 0x0 region_type = private name = "private_0x00000000157e0000" filename = "" Region: id = 1671 start_va = 0x15820000 end_va = 0x1591ffff entry_point = 0x0 region_type = private name = "private_0x0000000015820000" filename = "" Region: id = 1672 start_va = 0x7fc16000 end_va = 0x7fc18fff entry_point = 0x0 region_type = private name = "private_0x000000007fc16000" filename = "" Region: id = 1673 start_va = 0x15920000 end_va = 0x1595ffff entry_point = 0x0 region_type = private name = "private_0x0000000015920000" filename = "" Region: id = 1674 start_va = 0x15960000 end_va = 0x15a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000015960000" filename = "" Region: id = 1675 start_va = 0x7fc13000 end_va = 0x7fc15fff entry_point = 0x0 region_type = private name = "private_0x000000007fc13000" filename = "" Region: id = 1676 start_va = 0x15a60000 end_va = 0x15a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000015a60000" filename = "" Region: id = 1677 start_va = 0x15aa0000 end_va = 0x15b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000015aa0000" filename = "" Region: id = 1678 start_va = 0x15ba0000 end_va = 0x15bdffff entry_point = 0x0 region_type = private name = "private_0x0000000015ba0000" filename = "" Region: id = 1679 start_va = 0x15be0000 end_va = 0x15cdffff entry_point = 0x0 region_type = private name = "private_0x0000000015be0000" filename = "" Region: id = 1680 start_va = 0x7fc0d000 end_va = 0x7fc0ffff entry_point = 0x0 region_type = private name = "private_0x000000007fc0d000" filename = "" Region: id = 1681 start_va = 0x7fc10000 end_va = 0x7fc12fff entry_point = 0x0 region_type = private name = "private_0x000000007fc10000" filename = "" Region: id = 1682 start_va = 0x15ce0000 end_va = 0x15d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000015ce0000" filename = "" Region: id = 1683 start_va = 0x15d20000 end_va = 0x15e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000015d20000" filename = "" Region: id = 1684 start_va = 0x7fc0a000 end_va = 0x7fc0cfff entry_point = 0x0 region_type = private name = "private_0x000000007fc0a000" filename = "" Region: id = 1685 start_va = 0x15e20000 end_va = 0x15e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000015e20000" filename = "" Region: id = 1686 start_va = 0x15e60000 end_va = 0x15f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000015e60000" filename = "" Region: id = 1687 start_va = 0x7fc07000 end_va = 0x7fc09fff entry_point = 0x0 region_type = private name = "private_0x000000007fc07000" filename = "" Region: id = 1688 start_va = 0x15f60000 end_va = 0x15f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000015f60000" filename = "" Region: id = 1689 start_va = 0x15fa0000 end_va = 0x1609ffff entry_point = 0x0 region_type = private name = "private_0x0000000015fa0000" filename = "" Region: id = 1690 start_va = 0x7fc04000 end_va = 0x7fc06fff entry_point = 0x0 region_type = private name = "private_0x000000007fc04000" filename = "" Region: id = 1691 start_va = 0x160a0000 end_va = 0x160dffff entry_point = 0x0 region_type = private name = "private_0x00000000160a0000" filename = "" Region: id = 1692 start_va = 0x160e0000 end_va = 0x161dffff entry_point = 0x0 region_type = private name = "private_0x00000000160e0000" filename = "" Region: id = 1693 start_va = 0x7fc01000 end_va = 0x7fc03fff entry_point = 0x0 region_type = private name = "private_0x000000007fc01000" filename = "" Region: id = 1694 start_va = 0x161e0000 end_va = 0x1621ffff entry_point = 0x0 region_type = private name = "private_0x00000000161e0000" filename = "" Region: id = 1695 start_va = 0x16220000 end_va = 0x1631ffff entry_point = 0x0 region_type = private name = "private_0x0000000016220000" filename = "" Region: id = 1696 start_va = 0x7fbfe000 end_va = 0x7fc00fff entry_point = 0x0 region_type = private name = "private_0x000000007fbfe000" filename = "" Region: id = 1697 start_va = 0x16320000 end_va = 0x1635ffff entry_point = 0x0 region_type = private name = "private_0x0000000016320000" filename = "" Region: id = 1698 start_va = 0x16360000 end_va = 0x1645ffff entry_point = 0x0 region_type = private name = "private_0x0000000016360000" filename = "" Region: id = 1699 start_va = 0x7fbfb000 end_va = 0x7fbfdfff entry_point = 0x0 region_type = private name = "private_0x000000007fbfb000" filename = "" Region: id = 1700 start_va = 0x16460000 end_va = 0x1649ffff entry_point = 0x0 region_type = private name = "private_0x0000000016460000" filename = "" Region: id = 1701 start_va = 0x164a0000 end_va = 0x1659ffff entry_point = 0x0 region_type = private name = "private_0x00000000164a0000" filename = "" Region: id = 1702 start_va = 0x7fbf8000 end_va = 0x7fbfafff entry_point = 0x0 region_type = private name = "private_0x000000007fbf8000" filename = "" Region: id = 1703 start_va = 0x165a0000 end_va = 0x165dffff entry_point = 0x0 region_type = private name = "private_0x00000000165a0000" filename = "" Region: id = 1704 start_va = 0x165e0000 end_va = 0x166dffff entry_point = 0x0 region_type = private name = "private_0x00000000165e0000" filename = "" Region: id = 1705 start_va = 0x7fbf5000 end_va = 0x7fbf7fff entry_point = 0x0 region_type = private name = "private_0x000000007fbf5000" filename = "" Region: id = 1706 start_va = 0x166e0000 end_va = 0x1671ffff entry_point = 0x0 region_type = private name = "private_0x00000000166e0000" filename = "" Region: id = 1707 start_va = 0x16720000 end_va = 0x1681ffff entry_point = 0x0 region_type = private name = "private_0x0000000016720000" filename = "" Region: id = 1708 start_va = 0x7fbf2000 end_va = 0x7fbf4fff entry_point = 0x0 region_type = private name = "private_0x000000007fbf2000" filename = "" Region: id = 1709 start_va = 0x16820000 end_va = 0x1685ffff entry_point = 0x0 region_type = private name = "private_0x0000000016820000" filename = "" Region: id = 1710 start_va = 0x16860000 end_va = 0x1695ffff entry_point = 0x0 region_type = private name = "private_0x0000000016860000" filename = "" Region: id = 1711 start_va = 0x7fbef000 end_va = 0x7fbf1fff entry_point = 0x0 region_type = private name = "private_0x000000007fbef000" filename = "" Region: id = 1712 start_va = 0x16960000 end_va = 0x1699ffff entry_point = 0x0 region_type = private name = "private_0x0000000016960000" filename = "" Region: id = 1713 start_va = 0x169a0000 end_va = 0x16a9ffff entry_point = 0x0 region_type = private name = "private_0x00000000169a0000" filename = "" Region: id = 1714 start_va = 0x7fbec000 end_va = 0x7fbeefff entry_point = 0x0 region_type = private name = "private_0x000000007fbec000" filename = "" Region: id = 1715 start_va = 0x16aa0000 end_va = 0x16adffff entry_point = 0x0 region_type = private name = "private_0x0000000016aa0000" filename = "" Region: id = 1716 start_va = 0x16ae0000 end_va = 0x16bdffff entry_point = 0x0 region_type = private name = "private_0x0000000016ae0000" filename = "" Region: id = 1717 start_va = 0x16be0000 end_va = 0x16c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000016be0000" filename = "" Region: id = 1718 start_va = 0x16c20000 end_va = 0x16d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000016c20000" filename = "" Region: id = 1719 start_va = 0x7fbe9000 end_va = 0x7fbebfff entry_point = 0x0 region_type = private name = "private_0x000000007fbe9000" filename = "" Region: id = 1720 start_va = 0x16d20000 end_va = 0x16d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000016d20000" filename = "" Region: id = 1721 start_va = 0x16d60000 end_va = 0x16e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000016d60000" filename = "" Region: id = 1722 start_va = 0x7fbe6000 end_va = 0x7fbe8fff entry_point = 0x0 region_type = private name = "private_0x000000007fbe6000" filename = "" Region: id = 1723 start_va = 0x16e60000 end_va = 0x16e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000016e60000" filename = "" Region: id = 1724 start_va = 0x16ea0000 end_va = 0x16f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000016ea0000" filename = "" Region: id = 1725 start_va = 0x7fbe3000 end_va = 0x7fbe5fff entry_point = 0x0 region_type = private name = "private_0x000000007fbe3000" filename = "" Region: id = 1726 start_va = 0x16fa0000 end_va = 0x16fdffff entry_point = 0x0 region_type = private name = "private_0x0000000016fa0000" filename = "" Region: id = 1727 start_va = 0x16fe0000 end_va = 0x170dffff entry_point = 0x0 region_type = private name = "private_0x0000000016fe0000" filename = "" Region: id = 1728 start_va = 0x7fbe0000 end_va = 0x7fbe2fff entry_point = 0x0 region_type = private name = "private_0x000000007fbe0000" filename = "" Region: id = 1729 start_va = 0x170e0000 end_va = 0x1711ffff entry_point = 0x0 region_type = private name = "private_0x00000000170e0000" filename = "" Region: id = 1730 start_va = 0x17120000 end_va = 0x1721ffff entry_point = 0x0 region_type = private name = "private_0x0000000017120000" filename = "" Region: id = 1731 start_va = 0x7fbdd000 end_va = 0x7fbdffff entry_point = 0x0 region_type = private name = "private_0x000000007fbdd000" filename = "" Region: id = 1732 start_va = 0x31d0000 end_va = 0x31e2fff entry_point = 0x31d0000 region_type = mapped_file name = "lowest forwarding sitemap.exe" filename = "\\Program Files\\Windows NT\\lowest forwarding sitemap.exe" (normalized: "c:\\program files\\windows nt\\lowest forwarding sitemap.exe") Region: id = 1733 start_va = 0x17220000 end_va = 0x1725ffff entry_point = 0x0 region_type = private name = "private_0x0000000017220000" filename = "" Region: id = 1734 start_va = 0x17260000 end_va = 0x1735ffff entry_point = 0x0 region_type = private name = "private_0x0000000017260000" filename = "" Region: id = 1735 start_va = 0x7fbda000 end_va = 0x7fbdcfff entry_point = 0x0 region_type = private name = "private_0x000000007fbda000" filename = "" Region: id = 1736 start_va = 0x30c0000 end_va = 0x30c0fff entry_point = 0x30c0000 region_type = mapped_file name = "regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag id-br3n0g72wub8cejt.lyas") Region: id = 1737 start_va = 0x17360000 end_va = 0x1739ffff entry_point = 0x0 region_type = private name = "private_0x0000000017360000" filename = "" Region: id = 1738 start_va = 0x173a0000 end_va = 0x1749ffff entry_point = 0x0 region_type = private name = "private_0x00000000173a0000" filename = "" Region: id = 1739 start_va = 0x7fbd7000 end_va = 0x7fbd9fff entry_point = 0x0 region_type = private name = "private_0x000000007fbd7000" filename = "" Region: id = 1740 start_va = 0x31d0000 end_va = 0x31e2fff entry_point = 0x31d0000 region_type = mapped_file name = "orders oxide shift.exe" filename = "\\Program Files\\Windows Journal\\orders oxide shift.exe" (normalized: "c:\\program files\\windows journal\\orders oxide shift.exe") Region: id = 1741 start_va = 0x174a0000 end_va = 0x174dffff entry_point = 0x0 region_type = private name = "private_0x00000000174a0000" filename = "" Region: id = 1742 start_va = 0x174e0000 end_va = 0x175dffff entry_point = 0x0 region_type = private name = "private_0x00000000174e0000" filename = "" Region: id = 1743 start_va = 0x175e0000 end_va = 0x1761ffff entry_point = 0x0 region_type = private name = "private_0x00000000175e0000" filename = "" Region: id = 1744 start_va = 0x17620000 end_va = 0x1771ffff entry_point = 0x0 region_type = private name = "private_0x0000000017620000" filename = "" Region: id = 1745 start_va = 0x17720000 end_va = 0x1775ffff entry_point = 0x0 region_type = private name = "private_0x0000000017720000" filename = "" Region: id = 1746 start_va = 0x17760000 end_va = 0x1785ffff entry_point = 0x0 region_type = private name = "private_0x0000000017760000" filename = "" Region: id = 1747 start_va = 0x17860000 end_va = 0x1789ffff entry_point = 0x0 region_type = private name = "private_0x0000000017860000" filename = "" Region: id = 1748 start_va = 0x178a0000 end_va = 0x1799ffff entry_point = 0x0 region_type = private name = "private_0x00000000178a0000" filename = "" Region: id = 1749 start_va = 0x7fbc8000 end_va = 0x7fbcafff entry_point = 0x0 region_type = private name = "private_0x000000007fbc8000" filename = "" Region: id = 1750 start_va = 0x7fbcb000 end_va = 0x7fbcdfff entry_point = 0x0 region_type = private name = "private_0x000000007fbcb000" filename = "" Region: id = 1751 start_va = 0x7fbce000 end_va = 0x7fbd0fff entry_point = 0x0 region_type = private name = "private_0x000000007fbce000" filename = "" Region: id = 1752 start_va = 0x7fbd1000 end_va = 0x7fbd3fff entry_point = 0x0 region_type = private name = "private_0x000000007fbd1000" filename = "" Region: id = 1753 start_va = 0x7fbd4000 end_va = 0x7fbd6fff entry_point = 0x0 region_type = private name = "private_0x000000007fbd4000" filename = "" Region: id = 1754 start_va = 0x179a0000 end_va = 0x179dffff entry_point = 0x0 region_type = private name = "private_0x00000000179a0000" filename = "" Region: id = 1755 start_va = 0x179e0000 end_va = 0x17adffff entry_point = 0x0 region_type = private name = "private_0x00000000179e0000" filename = "" Region: id = 1756 start_va = 0x7fbc5000 end_va = 0x7fbc7fff entry_point = 0x0 region_type = private name = "private_0x000000007fbc5000" filename = "" Region: id = 1757 start_va = 0x17ae0000 end_va = 0x17b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000017ae0000" filename = "" Region: id = 1758 start_va = 0x17b20000 end_va = 0x17c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000017b20000" filename = "" Region: id = 1759 start_va = 0x7fbc2000 end_va = 0x7fbc4fff entry_point = 0x0 region_type = private name = "private_0x000000007fbc2000" filename = "" Region: id = 1760 start_va = 0x17c20000 end_va = 0x17c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000017c20000" filename = "" Region: id = 1761 start_va = 0x17c60000 end_va = 0x17d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000017c60000" filename = "" Region: id = 1762 start_va = 0x7fbbf000 end_va = 0x7fbc1fff entry_point = 0x0 region_type = private name = "private_0x000000007fbbf000" filename = "" Region: id = 1763 start_va = 0x17d60000 end_va = 0x17d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000017d60000" filename = "" Region: id = 1764 start_va = 0x17da0000 end_va = 0x17e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000017da0000" filename = "" Region: id = 1765 start_va = 0x7fbbc000 end_va = 0x7fbbefff entry_point = 0x0 region_type = private name = "private_0x000000007fbbc000" filename = "" Region: id = 1766 start_va = 0x17ea0000 end_va = 0x17edffff entry_point = 0x0 region_type = private name = "private_0x0000000017ea0000" filename = "" Region: id = 1767 start_va = 0x17ee0000 end_va = 0x17fdffff entry_point = 0x0 region_type = private name = "private_0x0000000017ee0000" filename = "" Region: id = 1768 start_va = 0x7fbb9000 end_va = 0x7fbbbfff entry_point = 0x0 region_type = private name = "private_0x000000007fbb9000" filename = "" Region: id = 1769 start_va = 0x31d0000 end_va = 0x31e2fff entry_point = 0x31d0000 region_type = mapped_file name = "collecting_vb_les.exe" filename = "\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe" (normalized: "c:\\program files\\windows photo viewer\\collecting_vb_les.exe") Region: id = 1770 start_va = 0x17fe0000 end_va = 0x1801ffff entry_point = 0x0 region_type = private name = "private_0x0000000017fe0000" filename = "" Region: id = 1771 start_va = 0x18020000 end_va = 0x1811ffff entry_point = 0x0 region_type = private name = "private_0x0000000018020000" filename = "" Region: id = 1772 start_va = 0x7fbb6000 end_va = 0x7fbb8fff entry_point = 0x0 region_type = private name = "private_0x000000007fbb6000" filename = "" Region: id = 1773 start_va = 0x18120000 end_va = 0x1815ffff entry_point = 0x0 region_type = private name = "private_0x0000000018120000" filename = "" Region: id = 1774 start_va = 0x18160000 end_va = 0x1825ffff entry_point = 0x0 region_type = private name = "private_0x0000000018160000" filename = "" Region: id = 1775 start_va = 0x7fbb3000 end_va = 0x7fbb5fff entry_point = 0x0 region_type = private name = "private_0x000000007fbb3000" filename = "" Region: id = 1776 start_va = 0x18260000 end_va = 0x1829ffff entry_point = 0x0 region_type = private name = "private_0x0000000018260000" filename = "" Region: id = 1777 start_va = 0x182a0000 end_va = 0x1839ffff entry_point = 0x0 region_type = private name = "private_0x00000000182a0000" filename = "" Region: id = 1778 start_va = 0x183a0000 end_va = 0x183dffff entry_point = 0x0 region_type = private name = "private_0x00000000183a0000" filename = "" Region: id = 1779 start_va = 0x183e0000 end_va = 0x184dffff entry_point = 0x0 region_type = private name = "private_0x00000000183e0000" filename = "" Region: id = 1780 start_va = 0x184e0000 end_va = 0x1851ffff entry_point = 0x0 region_type = private name = "private_0x00000000184e0000" filename = "" Region: id = 1781 start_va = 0x18520000 end_va = 0x1861ffff entry_point = 0x0 region_type = private name = "private_0x0000000018520000" filename = "" Region: id = 1782 start_va = 0x74610000 end_va = 0x7461afff entry_point = 0x74610000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 1783 start_va = 0x7fbaa000 end_va = 0x7fbacfff entry_point = 0x0 region_type = private name = "private_0x000000007fbaa000" filename = "" Region: id = 1784 start_va = 0x7fbad000 end_va = 0x7fbaffff entry_point = 0x0 region_type = private name = "private_0x000000007fbad000" filename = "" Region: id = 1785 start_va = 0x7fbb0000 end_va = 0x7fbb2fff entry_point = 0x0 region_type = private name = "private_0x000000007fbb0000" filename = "" Region: id = 1786 start_va = 0x31d0000 end_va = 0x31e2fff entry_point = 0x31d0000 region_type = mapped_file name = "freeware.exe" filename = "\\Program Files\\Windows Multimedia Platform\\freeware.exe" (normalized: "c:\\program files\\windows multimedia platform\\freeware.exe") Region: id = 1787 start_va = 0x30c0000 end_va = 0x30c0fff entry_point = 0x30c0000 region_type = mapped_file name = "filesystemmetadata.xml id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Microsoft Office\\FileSystemMetadata.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml id-br3n0g72wub8cejt.lyas") Region: id = 1788 start_va = 0x18620000 end_va = 0x1865ffff entry_point = 0x0 region_type = private name = "private_0x0000000018620000" filename = "" Region: id = 1789 start_va = 0x18660000 end_va = 0x1875ffff entry_point = 0x0 region_type = private name = "private_0x0000000018660000" filename = "" Region: id = 1790 start_va = 0x18760000 end_va = 0x1879ffff entry_point = 0x0 region_type = private name = "private_0x0000000018760000" filename = "" Region: id = 1791 start_va = 0x187a0000 end_va = 0x1889ffff entry_point = 0x0 region_type = private name = "private_0x00000000187a0000" filename = "" Region: id = 1792 start_va = 0x188a0000 end_va = 0x188dffff entry_point = 0x0 region_type = private name = "private_0x00000000188a0000" filename = "" Region: id = 1793 start_va = 0x188e0000 end_va = 0x189dffff entry_point = 0x0 region_type = private name = "private_0x00000000188e0000" filename = "" Region: id = 1794 start_va = 0x189e0000 end_va = 0x18a1ffff entry_point = 0x0 region_type = private name = "private_0x00000000189e0000" filename = "" Region: id = 1795 start_va = 0x18a20000 end_va = 0x18b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000018a20000" filename = "" Region: id = 1796 start_va = 0x18b20000 end_va = 0x18b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000018b20000" filename = "" Region: id = 1797 start_va = 0x18b60000 end_va = 0x18c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000018b60000" filename = "" Region: id = 1798 start_va = 0x18c60000 end_va = 0x18c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000018c60000" filename = "" Region: id = 1799 start_va = 0x18ca0000 end_va = 0x18d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000018ca0000" filename = "" Region: id = 1800 start_va = 0x18da0000 end_va = 0x18ddffff entry_point = 0x0 region_type = private name = "private_0x0000000018da0000" filename = "" Region: id = 1801 start_va = 0x18de0000 end_va = 0x18edffff entry_point = 0x0 region_type = private name = "private_0x0000000018de0000" filename = "" Region: id = 1802 start_va = 0x18ee0000 end_va = 0x18f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000018ee0000" filename = "" Region: id = 1803 start_va = 0x18f20000 end_va = 0x1901ffff entry_point = 0x0 region_type = private name = "private_0x0000000018f20000" filename = "" Region: id = 1804 start_va = 0x19020000 end_va = 0x1905ffff entry_point = 0x0 region_type = private name = "private_0x0000000019020000" filename = "" Region: id = 1805 start_va = 0x19060000 end_va = 0x1915ffff entry_point = 0x0 region_type = private name = "private_0x0000000019060000" filename = "" Region: id = 1806 start_va = 0x7fb8f000 end_va = 0x7fb91fff entry_point = 0x0 region_type = private name = "private_0x000000007fb8f000" filename = "" Region: id = 1807 start_va = 0x7fb92000 end_va = 0x7fb94fff entry_point = 0x0 region_type = private name = "private_0x000000007fb92000" filename = "" Region: id = 1808 start_va = 0x7fb95000 end_va = 0x7fb97fff entry_point = 0x0 region_type = private name = "private_0x000000007fb95000" filename = "" Region: id = 1809 start_va = 0x7fb98000 end_va = 0x7fb9afff entry_point = 0x0 region_type = private name = "private_0x000000007fb98000" filename = "" Region: id = 1810 start_va = 0x7fb9b000 end_va = 0x7fb9dfff entry_point = 0x0 region_type = private name = "private_0x000000007fb9b000" filename = "" Region: id = 1811 start_va = 0x7fb9e000 end_va = 0x7fba0fff entry_point = 0x0 region_type = private name = "private_0x000000007fb9e000" filename = "" Region: id = 1812 start_va = 0x7fba1000 end_va = 0x7fba3fff entry_point = 0x0 region_type = private name = "private_0x000000007fba1000" filename = "" Region: id = 1813 start_va = 0x7fba4000 end_va = 0x7fba6fff entry_point = 0x0 region_type = private name = "private_0x000000007fba4000" filename = "" Region: id = 1814 start_va = 0x7fba7000 end_va = 0x7fba9fff entry_point = 0x0 region_type = private name = "private_0x000000007fba7000" filename = "" Region: id = 1815 start_va = 0x19160000 end_va = 0x1919ffff entry_point = 0x0 region_type = private name = "private_0x0000000019160000" filename = "" Region: id = 1816 start_va = 0x191a0000 end_va = 0x1929ffff entry_point = 0x0 region_type = private name = "private_0x00000000191a0000" filename = "" Region: id = 1817 start_va = 0x7fb8c000 end_va = 0x7fb8efff entry_point = 0x0 region_type = private name = "private_0x000000007fb8c000" filename = "" Region: id = 1818 start_va = 0x192a0000 end_va = 0x192dffff entry_point = 0x0 region_type = private name = "private_0x00000000192a0000" filename = "" Region: id = 1819 start_va = 0x192e0000 end_va = 0x193dffff entry_point = 0x0 region_type = private name = "private_0x00000000192e0000" filename = "" Region: id = 1820 start_va = 0x7fb89000 end_va = 0x7fb8bfff entry_point = 0x0 region_type = private name = "private_0x000000007fb89000" filename = "" Region: id = 1821 start_va = 0x30c0000 end_va = 0x30c5fff entry_point = 0x30c0000 region_type = mapped_file name = "msaddndr.olb id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb id-br3n0g72wub8cejt.lyas") Region: id = 1822 start_va = 0x193e0000 end_va = 0x1941ffff entry_point = 0x0 region_type = private name = "private_0x00000000193e0000" filename = "" Region: id = 1823 start_va = 0x19420000 end_va = 0x1951ffff entry_point = 0x0 region_type = private name = "private_0x0000000019420000" filename = "" Region: id = 1824 start_va = 0x7fb86000 end_va = 0x7fb88fff entry_point = 0x0 region_type = private name = "private_0x000000007fb86000" filename = "" Region: id = 1825 start_va = 0x6b50000 end_va = 0x6b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006b50000" filename = "" Region: id = 1826 start_va = 0x6b90000 end_va = 0x6c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006b90000" filename = "" Region: id = 1827 start_va = 0x7fe11000 end_va = 0x7fe13fff entry_point = 0x0 region_type = private name = "private_0x000000007fe11000" filename = "" Region: id = 1828 start_va = 0x19520000 end_va = 0x1955ffff entry_point = 0x0 region_type = private name = "private_0x0000000019520000" filename = "" Region: id = 1829 start_va = 0x19560000 end_va = 0x1965ffff entry_point = 0x0 region_type = private name = "private_0x0000000019560000" filename = "" Region: id = 1830 start_va = 0x7fb83000 end_va = 0x7fb85fff entry_point = 0x0 region_type = private name = "private_0x000000007fb83000" filename = "" Region: id = 1831 start_va = 0x31d0000 end_va = 0x31d4fff entry_point = 0x31d0000 region_type = mapped_file name = "readme.htm id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\readme.htm id-br3n0g72wub8cejt.lyas") Region: id = 1832 start_va = 0x19660000 end_va = 0x1969ffff entry_point = 0x0 region_type = private name = "private_0x0000000019660000" filename = "" Region: id = 1833 start_va = 0x196a0000 end_va = 0x1979ffff entry_point = 0x0 region_type = private name = "private_0x00000000196a0000" filename = "" Region: id = 1834 start_va = 0x7fb80000 end_va = 0x7fb82fff entry_point = 0x0 region_type = private name = "private_0x000000007fb80000" filename = "" Region: id = 1835 start_va = 0x197a0000 end_va = 0x197dffff entry_point = 0x0 region_type = private name = "private_0x00000000197a0000" filename = "" Region: id = 1836 start_va = 0x197e0000 end_va = 0x198dffff entry_point = 0x0 region_type = private name = "private_0x00000000197e0000" filename = "" Region: id = 1837 start_va = 0x7fb7d000 end_va = 0x7fb7ffff entry_point = 0x0 region_type = private name = "private_0x000000007fb7d000" filename = "" Region: id = 1838 start_va = 0x198e0000 end_va = 0x1991ffff entry_point = 0x0 region_type = private name = "private_0x00000000198e0000" filename = "" Region: id = 1839 start_va = 0x19920000 end_va = 0x19a1ffff entry_point = 0x0 region_type = private name = "private_0x0000000019920000" filename = "" Region: id = 1840 start_va = 0x7fb7a000 end_va = 0x7fb7cfff entry_point = 0x0 region_type = private name = "private_0x000000007fb7a000" filename = "" Region: id = 1841 start_va = 0x19a20000 end_va = 0x19a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000019a20000" filename = "" Region: id = 1842 start_va = 0x19a60000 end_va = 0x19b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000019a60000" filename = "" Region: id = 1843 start_va = 0x7fb77000 end_va = 0x7fb79fff entry_point = 0x0 region_type = private name = "private_0x000000007fb77000" filename = "" Region: id = 1844 start_va = 0x19b60000 end_va = 0x19b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000019b60000" filename = "" Region: id = 1845 start_va = 0x19ba0000 end_va = 0x19c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000019ba0000" filename = "" Region: id = 1846 start_va = 0x7fb74000 end_va = 0x7fb76fff entry_point = 0x0 region_type = private name = "private_0x000000007fb74000" filename = "" Region: id = 1847 start_va = 0x19ca0000 end_va = 0x19cdffff entry_point = 0x0 region_type = private name = "private_0x0000000019ca0000" filename = "" Region: id = 1848 start_va = 0x19ce0000 end_va = 0x19ddffff entry_point = 0x0 region_type = private name = "private_0x0000000019ce0000" filename = "" Region: id = 1849 start_va = 0x7fb71000 end_va = 0x7fb73fff entry_point = 0x0 region_type = private name = "private_0x000000007fb71000" filename = "" Region: id = 1850 start_va = 0x19de0000 end_va = 0x19e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000019de0000" filename = "" Region: id = 1851 start_va = 0x19e20000 end_va = 0x19f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000019e20000" filename = "" Region: id = 1852 start_va = 0x7fb6e000 end_va = 0x7fb70fff entry_point = 0x0 region_type = private name = "private_0x000000007fb6e000" filename = "" Region: id = 1853 start_va = 0x19f20000 end_va = 0x19f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000019f20000" filename = "" Region: id = 1854 start_va = 0x19f60000 end_va = 0x1a05ffff entry_point = 0x0 region_type = private name = "private_0x0000000019f60000" filename = "" Region: id = 1855 start_va = 0x7fb6b000 end_va = 0x7fb6dfff entry_point = 0x0 region_type = private name = "private_0x000000007fb6b000" filename = "" Region: id = 1856 start_va = 0x1a060000 end_va = 0x1a09ffff entry_point = 0x0 region_type = private name = "private_0x000000001a060000" filename = "" Region: id = 1857 start_va = 0x1a0a0000 end_va = 0x1a19ffff entry_point = 0x0 region_type = private name = "private_0x000000001a0a0000" filename = "" Region: id = 1858 start_va = 0x7fb68000 end_va = 0x7fb6afff entry_point = 0x0 region_type = private name = "private_0x000000007fb68000" filename = "" Region: id = 1859 start_va = 0x1a1a0000 end_va = 0x1a1dffff entry_point = 0x0 region_type = private name = "private_0x000000001a1a0000" filename = "" Region: id = 1860 start_va = 0x1a1e0000 end_va = 0x1a2dffff entry_point = 0x0 region_type = private name = "private_0x000000001a1e0000" filename = "" Region: id = 1861 start_va = 0x7fb65000 end_va = 0x7fb67fff entry_point = 0x0 region_type = private name = "private_0x000000007fb65000" filename = "" Region: id = 1862 start_va = 0x1a2e0000 end_va = 0x1a31ffff entry_point = 0x0 region_type = private name = "private_0x000000001a2e0000" filename = "" Region: id = 1863 start_va = 0x1a320000 end_va = 0x1a41ffff entry_point = 0x0 region_type = private name = "private_0x000000001a320000" filename = "" Region: id = 1864 start_va = 0x7fb62000 end_va = 0x7fb64fff entry_point = 0x0 region_type = private name = "private_0x000000007fb62000" filename = "" Region: id = 1865 start_va = 0x1a420000 end_va = 0x1a45ffff entry_point = 0x0 region_type = private name = "private_0x000000001a420000" filename = "" Region: id = 1866 start_va = 0x1a460000 end_va = 0x1a55ffff entry_point = 0x0 region_type = private name = "private_0x000000001a460000" filename = "" Region: id = 1867 start_va = 0x7fb5f000 end_va = 0x7fb61fff entry_point = 0x0 region_type = private name = "private_0x000000007fb5f000" filename = "" Region: id = 1868 start_va = 0x1a560000 end_va = 0x1a59ffff entry_point = 0x0 region_type = private name = "private_0x000000001a560000" filename = "" Region: id = 1869 start_va = 0x1a5a0000 end_va = 0x1a69ffff entry_point = 0x0 region_type = private name = "private_0x000000001a5a0000" filename = "" Region: id = 1870 start_va = 0x7fb5c000 end_va = 0x7fb5efff entry_point = 0x0 region_type = private name = "private_0x000000007fb5c000" filename = "" Region: id = 1871 start_va = 0x1a6a0000 end_va = 0x1a6dffff entry_point = 0x0 region_type = private name = "private_0x000000001a6a0000" filename = "" Region: id = 1872 start_va = 0x1a6e0000 end_va = 0x1a7dffff entry_point = 0x0 region_type = private name = "private_0x000000001a6e0000" filename = "" Region: id = 1873 start_va = 0x7fb59000 end_va = 0x7fb5bfff entry_point = 0x0 region_type = private name = "private_0x000000007fb59000" filename = "" Region: id = 1874 start_va = 0x1a7e0000 end_va = 0x1a81ffff entry_point = 0x0 region_type = private name = "private_0x000000001a7e0000" filename = "" Region: id = 1875 start_va = 0x1a820000 end_va = 0x1a91ffff entry_point = 0x0 region_type = private name = "private_0x000000001a820000" filename = "" Region: id = 1876 start_va = 0x7fb56000 end_va = 0x7fb58fff entry_point = 0x0 region_type = private name = "private_0x000000007fb56000" filename = "" Region: id = 1877 start_va = 0x1a920000 end_va = 0x1a95ffff entry_point = 0x0 region_type = private name = "private_0x000000001a920000" filename = "" Region: id = 1878 start_va = 0x1a960000 end_va = 0x1aa5ffff entry_point = 0x0 region_type = private name = "private_0x000000001a960000" filename = "" Region: id = 1879 start_va = 0x7fb53000 end_va = 0x7fb55fff entry_point = 0x0 region_type = private name = "private_0x000000007fb53000" filename = "" Region: id = 1880 start_va = 0x1aa60000 end_va = 0x1aa9ffff entry_point = 0x0 region_type = private name = "private_0x000000001aa60000" filename = "" Region: id = 1881 start_va = 0x1aaa0000 end_va = 0x1ab9ffff entry_point = 0x0 region_type = private name = "private_0x000000001aaa0000" filename = "" Region: id = 1882 start_va = 0x7fb50000 end_va = 0x7fb52fff entry_point = 0x0 region_type = private name = "private_0x000000007fb50000" filename = "" Region: id = 1883 start_va = 0x1aba0000 end_va = 0x1abdffff entry_point = 0x0 region_type = private name = "private_0x000000001aba0000" filename = "" Region: id = 1884 start_va = 0x1abe0000 end_va = 0x1acdffff entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 1885 start_va = 0x7fb4d000 end_va = 0x7fb4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fb4d000" filename = "" Region: id = 1886 start_va = 0x1ace0000 end_va = 0x1ad1ffff entry_point = 0x0 region_type = private name = "private_0x000000001ace0000" filename = "" Region: id = 1887 start_va = 0x1ad20000 end_va = 0x1ae1ffff entry_point = 0x0 region_type = private name = "private_0x000000001ad20000" filename = "" Region: id = 1888 start_va = 0x7fb4a000 end_va = 0x7fb4cfff entry_point = 0x0 region_type = private name = "private_0x000000007fb4a000" filename = "" Region: id = 1889 start_va = 0x1ae20000 end_va = 0x1ae5ffff entry_point = 0x0 region_type = private name = "private_0x000000001ae20000" filename = "" Region: id = 1890 start_va = 0x1ae60000 end_va = 0x1af5ffff entry_point = 0x0 region_type = private name = "private_0x000000001ae60000" filename = "" Region: id = 1891 start_va = 0x7fb47000 end_va = 0x7fb49fff entry_point = 0x0 region_type = private name = "private_0x000000007fb47000" filename = "" Region: id = 1892 start_va = 0x31e0000 end_va = 0x31e0fff entry_point = 0x31e0000 region_type = mapped_file name = "deploymentconfig.0.xml id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml id-br3n0g72wub8cejt.lyas") Region: id = 1893 start_va = 0x1af60000 end_va = 0x1af9ffff entry_point = 0x0 region_type = private name = "private_0x000000001af60000" filename = "" Region: id = 1894 start_va = 0x1afa0000 end_va = 0x1b09ffff entry_point = 0x0 region_type = private name = "private_0x000000001afa0000" filename = "" Region: id = 1895 start_va = 0x7fb44000 end_va = 0x7fb46fff entry_point = 0x0 region_type = private name = "private_0x000000007fb44000" filename = "" Region: id = 1896 start_va = 0x31f0000 end_va = 0x31f3fff entry_point = 0x31f0000 region_type = mapped_file name = "active.grl" filename = "\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl") Region: id = 1897 start_va = 0x3ac0000 end_va = 0x3afffff entry_point = 0x0 region_type = private name = "private_0x0000000003ac0000" filename = "" Region: id = 1898 start_va = 0x3b00000 end_va = 0x3bfffff entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 1899 start_va = 0x7fe77000 end_va = 0x7fe79fff entry_point = 0x0 region_type = private name = "private_0x000000007fe77000" filename = "" Region: id = 1900 start_va = 0x3c00000 end_va = 0x3c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 1901 start_va = 0x3c40000 end_va = 0x3d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c40000" filename = "" Region: id = 1902 start_va = 0x7fe74000 end_va = 0x7fe76fff entry_point = 0x0 region_type = private name = "private_0x000000007fe74000" filename = "" Region: id = 1903 start_va = 0x68d0000 end_va = 0x690ffff entry_point = 0x0 region_type = private name = "private_0x00000000068d0000" filename = "" Region: id = 1904 start_va = 0x6910000 end_va = 0x6a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006910000" filename = "" Region: id = 1905 start_va = 0x7fe17000 end_va = 0x7fe19fff entry_point = 0x0 region_type = private name = "private_0x000000007fe17000" filename = "" Region: id = 1906 start_va = 0x7690000 end_va = 0x76cffff entry_point = 0x0 region_type = private name = "private_0x0000000007690000" filename = "" Region: id = 1907 start_va = 0x76d0000 end_va = 0x77cffff entry_point = 0x0 region_type = private name = "private_0x00000000076d0000" filename = "" Region: id = 1908 start_va = 0x7910000 end_va = 0x794ffff entry_point = 0x0 region_type = private name = "private_0x0000000007910000" filename = "" Region: id = 1909 start_va = 0x7950000 end_va = 0x7a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000007950000" filename = "" Region: id = 1910 start_va = 0x7fdf0000 end_va = 0x7fdf2fff entry_point = 0x0 region_type = private name = "private_0x000000007fdf0000" filename = "" Region: id = 1911 start_va = 0x7fdf6000 end_va = 0x7fdf8fff entry_point = 0x0 region_type = private name = "private_0x000000007fdf6000" filename = "" Region: id = 1912 start_va = 0x1b0a0000 end_va = 0x1b0dffff entry_point = 0x0 region_type = private name = "private_0x000000001b0a0000" filename = "" Region: id = 1913 start_va = 0x1b0e0000 end_va = 0x1b1dffff entry_point = 0x0 region_type = private name = "private_0x000000001b0e0000" filename = "" Region: id = 1914 start_va = 0x7fb41000 end_va = 0x7fb43fff entry_point = 0x0 region_type = private name = "private_0x000000007fb41000" filename = "" Region: id = 1915 start_va = 0x1b1e0000 end_va = 0x1b21ffff entry_point = 0x0 region_type = private name = "private_0x000000001b1e0000" filename = "" Region: id = 1916 start_va = 0x1b220000 end_va = 0x1b31ffff entry_point = 0x0 region_type = private name = "private_0x000000001b220000" filename = "" Region: id = 1917 start_va = 0x7fb3e000 end_va = 0x7fb40fff entry_point = 0x0 region_type = private name = "private_0x000000007fb3e000" filename = "" Region: id = 1918 start_va = 0x1b320000 end_va = 0x1b35ffff entry_point = 0x0 region_type = private name = "private_0x000000001b320000" filename = "" Region: id = 1919 start_va = 0x1b360000 end_va = 0x1b45ffff entry_point = 0x0 region_type = private name = "private_0x000000001b360000" filename = "" Region: id = 1920 start_va = 0x7fb3b000 end_va = 0x7fb3dfff entry_point = 0x0 region_type = private name = "private_0x000000007fb3b000" filename = "" Region: id = 1921 start_va = 0x1b460000 end_va = 0x1b49ffff entry_point = 0x0 region_type = private name = "private_0x000000001b460000" filename = "" Region: id = 1922 start_va = 0x1b4a0000 end_va = 0x1b59ffff entry_point = 0x0 region_type = private name = "private_0x000000001b4a0000" filename = "" Region: id = 1923 start_va = 0x7fb38000 end_va = 0x7fb3afff entry_point = 0x0 region_type = private name = "private_0x000000007fb38000" filename = "" Region: id = 1924 start_va = 0x1b5a0000 end_va = 0x1b5dffff entry_point = 0x0 region_type = private name = "private_0x000000001b5a0000" filename = "" Region: id = 1925 start_va = 0x1b5e0000 end_va = 0x1b6dffff entry_point = 0x0 region_type = private name = "private_0x000000001b5e0000" filename = "" Region: id = 1926 start_va = 0x7fb35000 end_va = 0x7fb37fff entry_point = 0x0 region_type = private name = "private_0x000000007fb35000" filename = "" Region: id = 1927 start_va = 0x1b6e0000 end_va = 0x1b71ffff entry_point = 0x0 region_type = private name = "private_0x000000001b6e0000" filename = "" Region: id = 1928 start_va = 0x1b720000 end_va = 0x1b81ffff entry_point = 0x0 region_type = private name = "private_0x000000001b720000" filename = "" Region: id = 1929 start_va = 0x7fb32000 end_va = 0x7fb34fff entry_point = 0x0 region_type = private name = "private_0x000000007fb32000" filename = "" Region: id = 1930 start_va = 0x1b820000 end_va = 0x1b85ffff entry_point = 0x0 region_type = private name = "private_0x000000001b820000" filename = "" Region: id = 1931 start_va = 0x1b860000 end_va = 0x1b95ffff entry_point = 0x0 region_type = private name = "private_0x000000001b860000" filename = "" Region: id = 1932 start_va = 0x7fb2f000 end_va = 0x7fb31fff entry_point = 0x0 region_type = private name = "private_0x000000007fb2f000" filename = "" Region: id = 1933 start_va = 0x1b960000 end_va = 0x1b99ffff entry_point = 0x0 region_type = private name = "private_0x000000001b960000" filename = "" Region: id = 1934 start_va = 0x1b9a0000 end_va = 0x1ba9ffff entry_point = 0x0 region_type = private name = "private_0x000000001b9a0000" filename = "" Region: id = 1935 start_va = 0x7fb2c000 end_va = 0x7fb2efff entry_point = 0x0 region_type = private name = "private_0x000000007fb2c000" filename = "" Region: id = 1936 start_va = 0x1baa0000 end_va = 0x1badffff entry_point = 0x0 region_type = private name = "private_0x000000001baa0000" filename = "" Region: id = 1937 start_va = 0x1bae0000 end_va = 0x1bbdffff entry_point = 0x0 region_type = private name = "private_0x000000001bae0000" filename = "" Region: id = 1938 start_va = 0x7fb29000 end_va = 0x7fb2bfff entry_point = 0x0 region_type = private name = "private_0x000000007fb29000" filename = "" Region: id = 1939 start_va = 0x1bbe0000 end_va = 0x1bc1ffff entry_point = 0x0 region_type = private name = "private_0x000000001bbe0000" filename = "" Region: id = 1940 start_va = 0x1bc20000 end_va = 0x1bd1ffff entry_point = 0x0 region_type = private name = "private_0x000000001bc20000" filename = "" Region: id = 1941 start_va = 0x7fb26000 end_va = 0x7fb28fff entry_point = 0x0 region_type = private name = "private_0x000000007fb26000" filename = "" Region: id = 1942 start_va = 0x1bd20000 end_va = 0x1bd5ffff entry_point = 0x0 region_type = private name = "private_0x000000001bd20000" filename = "" Region: id = 1943 start_va = 0x1bd60000 end_va = 0x1be5ffff entry_point = 0x0 region_type = private name = "private_0x000000001bd60000" filename = "" Region: id = 1944 start_va = 0x7fb23000 end_va = 0x7fb25fff entry_point = 0x0 region_type = private name = "private_0x000000007fb23000" filename = "" Region: id = 1945 start_va = 0x4e40000 end_va = 0x4e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e40000" filename = "" Region: id = 1946 start_va = 0x6650000 end_va = 0x674ffff entry_point = 0x0 region_type = private name = "private_0x0000000006650000" filename = "" Region: id = 1947 start_va = 0x6750000 end_va = 0x6765fff entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 1948 start_va = 0x4e40000 end_va = 0x4e44fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e40000" filename = "" Region: id = 1949 start_va = 0x4e40000 end_va = 0x4e44fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e40000" filename = "" Region: id = 1950 start_va = 0x4e40000 end_va = 0x4e44fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e40000" filename = "" Region: id = 1951 start_va = 0x4e40000 end_va = 0x4e44fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e40000" filename = "" Region: id = 1952 start_va = 0x4e40000 end_va = 0x4e44fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e40000" filename = "" Region: id = 1953 start_va = 0x6750000 end_va = 0x678ffff entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 1954 start_va = 0x12960000 end_va = 0x1299ffff entry_point = 0x0 region_type = private name = "private_0x0000000012960000" filename = "" Region: id = 1955 start_va = 0x1be60000 end_va = 0x1bf5ffff entry_point = 0x0 region_type = private name = "private_0x000000001be60000" filename = "" Region: id = 1956 start_va = 0x1bf60000 end_va = 0x1c05ffff entry_point = 0x0 region_type = private name = "private_0x000000001bf60000" filename = "" Region: id = 1957 start_va = 0x1c060000 end_va = 0x1c09ffff entry_point = 0x0 region_type = private name = "private_0x000000001c060000" filename = "" Region: id = 1958 start_va = 0x1c0a0000 end_va = 0x1c19ffff entry_point = 0x0 region_type = private name = "private_0x000000001c0a0000" filename = "" Region: id = 1959 start_va = 0x1c1a0000 end_va = 0x1c1dffff entry_point = 0x0 region_type = private name = "private_0x000000001c1a0000" filename = "" Region: id = 1960 start_va = 0x1c1e0000 end_va = 0x1c2dffff entry_point = 0x0 region_type = private name = "private_0x000000001c1e0000" filename = "" Region: id = 1961 start_va = 0x1c2e0000 end_va = 0x1c31ffff entry_point = 0x0 region_type = private name = "private_0x000000001c2e0000" filename = "" Region: id = 1962 start_va = 0x1c320000 end_va = 0x1c41ffff entry_point = 0x0 region_type = private name = "private_0x000000001c320000" filename = "" Region: id = 1963 start_va = 0x1c420000 end_va = 0x1c45ffff entry_point = 0x0 region_type = private name = "private_0x000000001c420000" filename = "" Region: id = 1964 start_va = 0x1c460000 end_va = 0x1c55ffff entry_point = 0x0 region_type = private name = "private_0x000000001c460000" filename = "" Region: id = 1965 start_va = 0x1c560000 end_va = 0x1c59ffff entry_point = 0x0 region_type = private name = "private_0x000000001c560000" filename = "" Region: id = 1966 start_va = 0x1c5a0000 end_va = 0x1c69ffff entry_point = 0x0 region_type = private name = "private_0x000000001c5a0000" filename = "" Region: id = 1967 start_va = 0x7fb11000 end_va = 0x7fb13fff entry_point = 0x0 region_type = private name = "private_0x000000007fb11000" filename = "" Region: id = 1968 start_va = 0x7fb14000 end_va = 0x7fb16fff entry_point = 0x0 region_type = private name = "private_0x000000007fb14000" filename = "" Region: id = 1969 start_va = 0x7fb17000 end_va = 0x7fb19fff entry_point = 0x0 region_type = private name = "private_0x000000007fb17000" filename = "" Region: id = 1970 start_va = 0x7fb1a000 end_va = 0x7fb1cfff entry_point = 0x0 region_type = private name = "private_0x000000007fb1a000" filename = "" Region: id = 1971 start_va = 0x7fb1d000 end_va = 0x7fb1ffff entry_point = 0x0 region_type = private name = "private_0x000000007fb1d000" filename = "" Region: id = 1972 start_va = 0x7fb20000 end_va = 0x7fb22fff entry_point = 0x0 region_type = private name = "private_0x000000007fb20000" filename = "" Region: id = 1973 start_va = 0x7fe1d000 end_va = 0x7fe1ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe1d000" filename = "" Region: id = 1974 start_va = 0x1c6a0000 end_va = 0x1c6dffff entry_point = 0x0 region_type = private name = "private_0x000000001c6a0000" filename = "" Region: id = 1975 start_va = 0x1c6e0000 end_va = 0x1c7dffff entry_point = 0x0 region_type = private name = "private_0x000000001c6e0000" filename = "" Region: id = 1976 start_va = 0x7fb0e000 end_va = 0x7fb10fff entry_point = 0x0 region_type = private name = "private_0x000000007fb0e000" filename = "" Region: id = 1977 start_va = 0x1c7e0000 end_va = 0x1c81ffff entry_point = 0x0 region_type = private name = "private_0x000000001c7e0000" filename = "" Region: id = 1978 start_va = 0x1c820000 end_va = 0x1c91ffff entry_point = 0x0 region_type = private name = "private_0x000000001c820000" filename = "" Region: id = 1979 start_va = 0x7fb0b000 end_va = 0x7fb0dfff entry_point = 0x0 region_type = private name = "private_0x000000007fb0b000" filename = "" Region: id = 1980 start_va = 0x1c920000 end_va = 0x1c95ffff entry_point = 0x0 region_type = private name = "private_0x000000001c920000" filename = "" Region: id = 1981 start_va = 0x1c960000 end_va = 0x1ca5ffff entry_point = 0x0 region_type = private name = "private_0x000000001c960000" filename = "" Region: id = 1982 start_va = 0x1ca60000 end_va = 0x1ca9ffff entry_point = 0x0 region_type = private name = "private_0x000000001ca60000" filename = "" Region: id = 1983 start_va = 0x1caa0000 end_va = 0x1cb9ffff entry_point = 0x0 region_type = private name = "private_0x000000001caa0000" filename = "" Region: id = 1984 start_va = 0x1cba0000 end_va = 0x1cbdffff entry_point = 0x0 region_type = private name = "private_0x000000001cba0000" filename = "" Region: id = 1985 start_va = 0x1cbe0000 end_va = 0x1ccdffff entry_point = 0x0 region_type = private name = "private_0x000000001cbe0000" filename = "" Region: id = 1986 start_va = 0x7fb02000 end_va = 0x7fb04fff entry_point = 0x0 region_type = private name = "private_0x000000007fb02000" filename = "" Region: id = 1987 start_va = 0x7fb05000 end_va = 0x7fb07fff entry_point = 0x0 region_type = private name = "private_0x000000007fb05000" filename = "" Region: id = 1988 start_va = 0x7fb08000 end_va = 0x7fb0afff entry_point = 0x0 region_type = private name = "private_0x000000007fb08000" filename = "" Region: id = 1989 start_va = 0x30c0000 end_va = 0x30c3fff entry_point = 0x30c0000 region_type = mapped_file name = "pending.grl id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Microsoft\\MF\\Pending.GRL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl id-br3n0g72wub8cejt.lyas") Region: id = 1990 start_va = 0x1cce0000 end_va = 0x1cd1ffff entry_point = 0x0 region_type = private name = "private_0x000000001cce0000" filename = "" Region: id = 1991 start_va = 0x1cd20000 end_va = 0x1ce1ffff entry_point = 0x0 region_type = private name = "private_0x000000001cd20000" filename = "" Region: id = 1992 start_va = 0x7faff000 end_va = 0x7fb01fff entry_point = 0x0 region_type = private name = "private_0x000000007faff000" filename = "" Region: id = 1993 start_va = 0x1ce20000 end_va = 0x1ce32fff entry_point = 0x1ce20000 region_type = mapped_file name = "runtime recommendation.exe" filename = "\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe" (normalized: "c:\\program files\\windows photo viewer\\runtime recommendation.exe") Region: id = 1994 start_va = 0x31f0000 end_va = 0x31f5fff entry_point = 0x31f0000 region_type = mapped_file name = "ntuser.dat.log1 id-br3n0g72wub8cejt.lyas" filename = "\\Users\\Default\\NTUSER.DAT.LOG1 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat.log1 id-br3n0g72wub8cejt.lyas") Region: id = 1995 start_va = 0x4e40000 end_va = 0x4e40fff entry_point = 0x4e40000 region_type = mapped_file name = "state.rsm id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-br3n0g72wub8cejt.lyas") Region: id = 1996 start_va = 0x2ac0000 end_va = 0x2b7efff entry_point = 0x2ac0000 region_type = mapped_file name = "vc_redist.x64.exe id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe id-br3n0g72wub8cejt.lyas") Region: id = 1997 start_va = 0x2b80000 end_va = 0x2bbffff entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 1998 start_va = 0x2bc0000 end_va = 0x2bfffff entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 1999 start_va = 0x3200000 end_va = 0x32fffff entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 2000 start_va = 0x3300000 end_va = 0x333ffff entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 2001 start_va = 0x3700000 end_va = 0x37fffff entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 2002 start_va = 0x3800000 end_va = 0x38fffff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 2003 start_va = 0x3900000 end_va = 0x393ffff entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 2004 start_va = 0x3940000 end_va = 0x3a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003940000" filename = "" Region: id = 2005 start_va = 0x3a40000 end_va = 0x3a52fff entry_point = 0x3a40000 region_type = mapped_file name = "flavor.exe" filename = "\\Program Files (x86)\\Microsoft.NET\\flavor.exe" (normalized: "c:\\program files (x86)\\microsoft.net\\flavor.exe") Region: id = 2006 start_va = 0x7fe7d000 end_va = 0x7fe7ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe7d000" filename = "" Region: id = 2007 start_va = 0x7fe80000 end_va = 0x7fe82fff entry_point = 0x0 region_type = private name = "private_0x000000007fe80000" filename = "" Region: id = 2008 start_va = 0x7fe8c000 end_va = 0x7fe8efff entry_point = 0x0 region_type = private name = "private_0x000000007fe8c000" filename = "" Region: id = 2009 start_va = 0x7fe9b000 end_va = 0x7fe9dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe9b000" filename = "" Region: id = 2010 start_va = 0x3a40000 end_va = 0x3a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a40000" filename = "" Region: id = 2011 start_va = 0x41c0000 end_va = 0x42bffff entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 2012 start_va = 0x7fe7a000 end_va = 0x7fe7cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe7a000" filename = "" Region: id = 2013 start_va = 0x3a80000 end_va = 0x3abffff entry_point = 0x0 region_type = private name = "private_0x0000000003a80000" filename = "" Region: id = 2014 start_va = 0x42c0000 end_va = 0x43bffff entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 2015 start_va = 0x43c0000 end_va = 0x43fffff entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 2016 start_va = 0x4400000 end_va = 0x44fffff entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2017 start_va = 0x7fe68000 end_va = 0x7fe6afff entry_point = 0x0 region_type = private name = "private_0x000000007fe68000" filename = "" Region: id = 2018 start_va = 0x7fe6b000 end_va = 0x7fe6dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe6b000" filename = "" Region: id = 2019 start_va = 0x4500000 end_va = 0x453ffff entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 2020 start_va = 0x4540000 end_va = 0x463ffff entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 2021 start_va = 0x4640000 end_va = 0x467ffff entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 2022 start_va = 0x4680000 end_va = 0x477ffff entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 2023 start_va = 0x4780000 end_va = 0x47bffff entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 2024 start_va = 0x4940000 end_va = 0x4a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000004940000" filename = "" Region: id = 2025 start_va = 0x7fe5f000 end_va = 0x7fe61fff entry_point = 0x0 region_type = private name = "private_0x000000007fe5f000" filename = "" Region: id = 2026 start_va = 0x7fe62000 end_va = 0x7fe64fff entry_point = 0x0 region_type = private name = "private_0x000000007fe62000" filename = "" Region: id = 2027 start_va = 0x7fe65000 end_va = 0x7fe67fff entry_point = 0x0 region_type = private name = "private_0x000000007fe65000" filename = "" Region: id = 2028 start_va = 0x47c0000 end_va = 0x47fffff entry_point = 0x0 region_type = private name = "private_0x00000000047c0000" filename = "" Region: id = 2029 start_va = 0x4bc0000 end_va = 0x4cbffff entry_point = 0x0 region_type = private name = "private_0x0000000004bc0000" filename = "" Region: id = 2030 start_va = 0x7fe59000 end_va = 0x7fe5bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe59000" filename = "" Region: id = 2031 start_va = 0x4a40000 end_va = 0x4a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004a40000" filename = "" Region: id = 2032 start_va = 0x4cc0000 end_va = 0x4dbffff entry_point = 0x0 region_type = private name = "private_0x0000000004cc0000" filename = "" Region: id = 2033 start_va = 0x4dc0000 end_va = 0x4deafff entry_point = 0x4dc0000 region_type = mapped_file name = "maintenanceservice.exe id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe id-br3n0g72wub8cejt.lyas") Region: id = 2034 start_va = 0x7fe53000 end_va = 0x7fe55fff entry_point = 0x0 region_type = private name = "private_0x000000007fe53000" filename = "" Region: id = 2035 start_va = 0x4df0000 end_va = 0x4e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000004df0000" filename = "" Region: id = 2036 start_va = 0x50d0000 end_va = 0x51cffff entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 2037 start_va = 0x7fe50000 end_va = 0x7fe52fff entry_point = 0x0 region_type = private name = "private_0x000000007fe50000" filename = "" Region: id = 2038 start_va = 0x51d0000 end_va = 0x520ffff entry_point = 0x0 region_type = private name = "private_0x00000000051d0000" filename = "" Region: id = 2039 start_va = 0x5490000 end_va = 0x558ffff entry_point = 0x0 region_type = private name = "private_0x0000000005490000" filename = "" Region: id = 2040 start_va = 0x5590000 end_va = 0x55cffff entry_point = 0x0 region_type = private name = "private_0x0000000005590000" filename = "" Region: id = 2041 start_va = 0x5850000 end_va = 0x594ffff entry_point = 0x0 region_type = private name = "private_0x0000000005850000" filename = "" Region: id = 2042 start_va = 0x7fe3e000 end_va = 0x7fe40fff entry_point = 0x0 region_type = private name = "private_0x000000007fe3e000" filename = "" Region: id = 2043 start_va = 0x7fe47000 end_va = 0x7fe49fff entry_point = 0x0 region_type = private name = "private_0x000000007fe47000" filename = "" Region: id = 2044 start_va = 0x5950000 end_va = 0x598ffff entry_point = 0x0 region_type = private name = "private_0x0000000005950000" filename = "" Region: id = 2045 start_va = 0x5d90000 end_va = 0x5e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000005d90000" filename = "" Region: id = 2046 start_va = 0x7fe35000 end_va = 0x7fe37fff entry_point = 0x0 region_type = private name = "private_0x000000007fe35000" filename = "" Region: id = 2047 start_va = 0x5e90000 end_va = 0x5ecffff entry_point = 0x0 region_type = private name = "private_0x0000000005e90000" filename = "" Region: id = 2048 start_va = 0x5ed0000 end_va = 0x5fcffff entry_point = 0x0 region_type = private name = "private_0x0000000005ed0000" filename = "" Region: id = 2049 start_va = 0x5fd0000 end_va = 0x600ffff entry_point = 0x0 region_type = private name = "private_0x0000000005fd0000" filename = "" Region: id = 2050 start_va = 0x6010000 end_va = 0x610ffff entry_point = 0x0 region_type = private name = "private_0x0000000006010000" filename = "" Region: id = 2051 start_va = 0x6110000 end_va = 0x614ffff entry_point = 0x0 region_type = private name = "private_0x0000000006110000" filename = "" Region: id = 2052 start_va = 0x6290000 end_va = 0x638ffff entry_point = 0x0 region_type = private name = "private_0x0000000006290000" filename = "" Region: id = 2053 start_va = 0x6390000 end_va = 0x63cffff entry_point = 0x0 region_type = private name = "private_0x0000000006390000" filename = "" Region: id = 2054 start_va = 0xcd90000 end_va = 0xce8ffff entry_point = 0x0 region_type = private name = "private_0x000000000cd90000" filename = "" Region: id = 2055 start_va = 0x7fe26000 end_va = 0x7fe28fff entry_point = 0x0 region_type = private name = "private_0x000000007fe26000" filename = "" Region: id = 2056 start_va = 0x7fe2c000 end_va = 0x7fe2efff entry_point = 0x0 region_type = private name = "private_0x000000007fe2c000" filename = "" Region: id = 2057 start_va = 0x7fe2f000 end_va = 0x7fe31fff entry_point = 0x0 region_type = private name = "private_0x000000007fe2f000" filename = "" Region: id = 2058 start_va = 0x7fe32000 end_va = 0x7fe34fff entry_point = 0x0 region_type = private name = "private_0x000000007fe32000" filename = "" Region: id = 2059 start_va = 0xce90000 end_va = 0xcecffff entry_point = 0x0 region_type = private name = "private_0x000000000ce90000" filename = "" Region: id = 2060 start_va = 0xced0000 end_va = 0xcfcffff entry_point = 0x0 region_type = private name = "private_0x000000000ced0000" filename = "" Region: id = 2061 start_va = 0x7fd39000 end_va = 0x7fd3bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd39000" filename = "" Region: id = 2062 start_va = 0x4e30000 end_va = 0x4e42fff entry_point = 0x4e30000 region_type = mapped_file name = "kg_tools_them.exe" filename = "\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe" (normalized: "c:\\program files (x86)\\windows media player\\kg_tools_them.exe") Region: id = 2063 start_va = 0xcfd0000 end_va = 0xd00ffff entry_point = 0x0 region_type = private name = "private_0x000000000cfd0000" filename = "" Region: id = 2064 start_va = 0xd010000 end_va = 0xd10ffff entry_point = 0x0 region_type = private name = "private_0x000000000d010000" filename = "" Region: id = 2065 start_va = 0x7fd36000 end_va = 0x7fd38fff entry_point = 0x0 region_type = private name = "private_0x000000007fd36000" filename = "" Region: id = 2066 start_va = 0xd110000 end_va = 0xd14ffff entry_point = 0x0 region_type = private name = "private_0x000000000d110000" filename = "" Region: id = 2067 start_va = 0xd290000 end_va = 0xd38ffff entry_point = 0x0 region_type = private name = "private_0x000000000d290000" filename = "" Region: id = 2068 start_va = 0x7fd33000 end_va = 0x7fd35fff entry_point = 0x0 region_type = private name = "private_0x000000007fd33000" filename = "" Region: id = 2069 start_va = 0xd390000 end_va = 0xd3cffff entry_point = 0x0 region_type = private name = "private_0x000000000d390000" filename = "" Region: id = 2070 start_va = 0xd650000 end_va = 0xd74ffff entry_point = 0x0 region_type = private name = "private_0x000000000d650000" filename = "" Region: id = 2071 start_va = 0x7fd2d000 end_va = 0x7fd2ffff entry_point = 0x0 region_type = private name = "private_0x000000007fd2d000" filename = "" Region: id = 2072 start_va = 0x4e30000 end_va = 0x4e42fff entry_point = 0x4e30000 region_type = mapped_file name = "pump.exe" filename = "\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe" (normalized: "c:\\program files (x86)\\windows multimedia platform\\pump.exe") Region: id = 2073 start_va = 0xd750000 end_va = 0xd78ffff entry_point = 0x0 region_type = private name = "private_0x000000000d750000" filename = "" Region: id = 2074 start_va = 0xd790000 end_va = 0xd88ffff entry_point = 0x0 region_type = private name = "private_0x000000000d790000" filename = "" Region: id = 2075 start_va = 0xd890000 end_va = 0xd8cffff entry_point = 0x0 region_type = private name = "private_0x000000000d890000" filename = "" Region: id = 2076 start_va = 0xddd0000 end_va = 0xdecffff entry_point = 0x0 region_type = private name = "private_0x000000000ddd0000" filename = "" Region: id = 2077 start_va = 0xded0000 end_va = 0xdf0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ded0000" filename = "" Region: id = 2078 start_va = 0xe190000 end_va = 0xe28ffff entry_point = 0x0 region_type = private name = "private_0x000000000e190000" filename = "" Region: id = 2079 start_va = 0xe290000 end_va = 0xe2cffff entry_point = 0x0 region_type = private name = "private_0x000000000e290000" filename = "" Region: id = 2080 start_va = 0xe2d0000 end_va = 0xe3cffff entry_point = 0x0 region_type = private name = "private_0x000000000e2d0000" filename = "" Region: id = 2081 start_va = 0xe3d0000 end_va = 0xe40ffff entry_point = 0x0 region_type = private name = "private_0x000000000e3d0000" filename = "" Region: id = 2082 start_va = 0xe410000 end_va = 0xe50ffff entry_point = 0x0 region_type = private name = "private_0x000000000e410000" filename = "" Region: id = 2083 start_va = 0x7fd06000 end_va = 0x7fd08fff entry_point = 0x0 region_type = private name = "private_0x000000007fd06000" filename = "" Region: id = 2084 start_va = 0x7fd09000 end_va = 0x7fd0bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd09000" filename = "" Region: id = 2085 start_va = 0x7fd12000 end_va = 0x7fd14fff entry_point = 0x0 region_type = private name = "private_0x000000007fd12000" filename = "" Region: id = 2086 start_va = 0x7fd21000 end_va = 0x7fd23fff entry_point = 0x0 region_type = private name = "private_0x000000007fd21000" filename = "" Region: id = 2087 start_va = 0x7fd24000 end_va = 0x7fd26fff entry_point = 0x0 region_type = private name = "private_0x000000007fd24000" filename = "" Region: id = 2088 start_va = 0xe510000 end_va = 0xe54ffff entry_point = 0x0 region_type = private name = "private_0x000000000e510000" filename = "" Region: id = 2089 start_va = 0xe7d0000 end_va = 0xe8cffff entry_point = 0x0 region_type = private name = "private_0x000000000e7d0000" filename = "" Region: id = 2090 start_va = 0xe8d0000 end_va = 0xe8e2fff entry_point = 0xe8d0000 region_type = mapped_file name = "semiconductor phys.exe" filename = "\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\semiconductor phys.exe") Region: id = 2091 start_va = 0x7fd03000 end_va = 0x7fd05fff entry_point = 0x0 region_type = private name = "private_0x000000007fd03000" filename = "" Region: id = 2092 start_va = 0xe8f0000 end_va = 0xe92ffff entry_point = 0x0 region_type = private name = "private_0x000000000e8f0000" filename = "" Region: id = 2093 start_va = 0xe930000 end_va = 0xea2ffff entry_point = 0x0 region_type = private name = "private_0x000000000e930000" filename = "" Region: id = 2094 start_va = 0xea30000 end_va = 0xea30fff entry_point = 0xea30000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\desktop.ini") Region: id = 2095 start_va = 0x7fcfa000 end_va = 0x7fcfcfff entry_point = 0x0 region_type = private name = "private_0x000000007fcfa000" filename = "" Region: id = 2096 start_va = 0xea30000 end_va = 0xea46fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000ea30000" filename = "" Region: id = 2097 start_va = 0xea30000 end_va = 0xea3afff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000ea30000" filename = "" Region: id = 2098 start_va = 0xea30000 end_va = 0xea45fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000ea30000" filename = "" Region: id = 2099 start_va = 0xd8d0000 end_va = 0xd8d0fff entry_point = 0xd8d0000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\desktop.ini") Region: id = 2100 start_va = 0xd8d0000 end_va = 0xd90ffff entry_point = 0x0 region_type = private name = "private_0x000000000d8d0000" filename = "" Region: id = 2101 start_va = 0xd910000 end_va = 0xda0ffff entry_point = 0x0 region_type = private name = "private_0x000000000d910000" filename = "" Region: id = 2102 start_va = 0xeb90000 end_va = 0xebcffff entry_point = 0x0 region_type = private name = "private_0x000000000eb90000" filename = "" Region: id = 2103 start_va = 0xebd0000 end_va = 0xeccffff entry_point = 0x0 region_type = private name = "private_0x000000000ebd0000" filename = "" Region: id = 2104 start_va = 0xecd0000 end_va = 0xed0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ecd0000" filename = "" Region: id = 2105 start_va = 0xed10000 end_va = 0xee0ffff entry_point = 0x0 region_type = private name = "private_0x000000000ed10000" filename = "" Region: id = 2106 start_va = 0xf450000 end_va = 0xf458fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000f450000" filename = "" Region: id = 2107 start_va = 0xf690000 end_va = 0xf6cffff entry_point = 0x0 region_type = private name = "private_0x000000000f690000" filename = "" Region: id = 2108 start_va = 0xf6d0000 end_va = 0xf7cffff entry_point = 0x0 region_type = private name = "private_0x000000000f6d0000" filename = "" Region: id = 2109 start_va = 0xf7d0000 end_va = 0xf80ffff entry_point = 0x0 region_type = private name = "private_0x000000000f7d0000" filename = "" Region: id = 2110 start_va = 0xf810000 end_va = 0xf90ffff entry_point = 0x0 region_type = private name = "private_0x000000000f810000" filename = "" Region: id = 2111 start_va = 0xfa50000 end_va = 0xfa8ffff entry_point = 0x0 region_type = private name = "private_0x000000000fa50000" filename = "" Region: id = 2112 start_va = 0xfa90000 end_va = 0xfb8ffff entry_point = 0x0 region_type = private name = "private_0x000000000fa90000" filename = "" Region: id = 2113 start_va = 0x7fcd6000 end_va = 0x7fcd8fff entry_point = 0x0 region_type = private name = "private_0x000000007fcd6000" filename = "" Region: id = 2114 start_va = 0x7fcd9000 end_va = 0x7fcdbfff entry_point = 0x0 region_type = private name = "private_0x000000007fcd9000" filename = "" Region: id = 2115 start_va = 0x7fcee000 end_va = 0x7fcf0fff entry_point = 0x0 region_type = private name = "private_0x000000007fcee000" filename = "" Region: id = 2116 start_va = 0x7fcf1000 end_va = 0x7fcf3fff entry_point = 0x0 region_type = private name = "private_0x000000007fcf1000" filename = "" Region: id = 2117 start_va = 0x7fcf7000 end_va = 0x7fcf9fff entry_point = 0x0 region_type = private name = "private_0x000000007fcf7000" filename = "" Region: id = 2118 start_va = 0x7fd1e000 end_va = 0x7fd20fff entry_point = 0x0 region_type = private name = "private_0x000000007fd1e000" filename = "" Region: id = 2119 start_va = 0xf450000 end_va = 0xf48ffff entry_point = 0x0 region_type = private name = "private_0x000000000f450000" filename = "" Region: id = 2120 start_va = 0xf490000 end_va = 0xf58ffff entry_point = 0x0 region_type = private name = "private_0x000000000f490000" filename = "" Region: id = 2121 start_va = 0x101d0000 end_va = 0x101d6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000101d0000" filename = "" Region: id = 2122 start_va = 0x7fcdc000 end_va = 0x7fcdefff entry_point = 0x0 region_type = private name = "private_0x000000007fcdc000" filename = "" Region: id = 2123 start_va = 0x101d0000 end_va = 0x102cffff entry_point = 0x101d0000 region_type = mapped_file name = "chromesetup.exe id-br3n0g72wub8cejt.lyas" filename = "\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\chromesetup.exe id-br3n0g72wub8cejt.lyas") Region: id = 2124 start_va = 0x102d0000 end_va = 0x1030ffff entry_point = 0x0 region_type = private name = "private_0x00000000102d0000" filename = "" Region: id = 2125 start_va = 0x10450000 end_va = 0x1054ffff entry_point = 0x0 region_type = private name = "private_0x0000000010450000" filename = "" Region: id = 2126 start_va = 0x10550000 end_va = 0x10562fff entry_point = 0x10550000 region_type = mapped_file name = "limousines.exe" filename = "\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\limousines.exe") Region: id = 2127 start_va = 0x7fcd0000 end_va = 0x7fcd2fff entry_point = 0x0 region_type = private name = "private_0x000000007fcd0000" filename = "" Region: id = 2128 start_va = 0x10550000 end_va = 0x1058ffff entry_point = 0x0 region_type = private name = "private_0x0000000010550000" filename = "" Region: id = 2129 start_va = 0x11560000 end_va = 0x1165ffff entry_point = 0x0 region_type = private name = "private_0x0000000011560000" filename = "" Region: id = 2130 start_va = 0x11660000 end_va = 0x11674fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000011660000" filename = "" Region: id = 2131 start_va = 0x7fcbe000 end_va = 0x7fcc0fff entry_point = 0x0 region_type = private name = "private_0x000000007fcbe000" filename = "" Region: id = 2132 start_va = 0x11660000 end_va = 0x1169ffff entry_point = 0x0 region_type = private name = "private_0x0000000011660000" filename = "" Region: id = 2133 start_va = 0x116a0000 end_va = 0x1179ffff entry_point = 0x0 region_type = private name = "private_0x00000000116a0000" filename = "" Region: id = 2134 start_va = 0x117a0000 end_va = 0x117a0fff entry_point = 0x117a0000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\desktop.ini") Region: id = 2135 start_va = 0x7fcb8000 end_va = 0x7fcbafff entry_point = 0x0 region_type = private name = "private_0x000000007fcb8000" filename = "" Region: id = 2136 start_va = 0x117a0000 end_va = 0x117dffff entry_point = 0x0 region_type = private name = "private_0x00000000117a0000" filename = "" Region: id = 2137 start_va = 0x11920000 end_va = 0x11a1ffff entry_point = 0x0 region_type = private name = "private_0x0000000011920000" filename = "" Region: id = 2138 start_va = 0x11a20000 end_va = 0x11a20fff entry_point = 0x11a20000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\desktop.ini") Region: id = 2139 start_va = 0x7fcb5000 end_va = 0x7fcb7fff entry_point = 0x0 region_type = private name = "private_0x000000007fcb5000" filename = "" Region: id = 2140 start_va = 0x11a20000 end_va = 0x11a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000011a20000" filename = "" Region: id = 2141 start_va = 0x11a60000 end_va = 0x11b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000011a60000" filename = "" Region: id = 2142 start_va = 0x7fcb2000 end_va = 0x7fcb4fff entry_point = 0x0 region_type = private name = "private_0x000000007fcb2000" filename = "" Region: id = 2143 start_va = 0x11b60000 end_va = 0x11b68fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000011b60000" filename = "" Region: id = 2144 start_va = 0x11b60000 end_va = 0x11b60fff entry_point = 0x11b60000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\desktop.ini") Region: id = 2145 start_va = 0x11b70000 end_va = 0x11b70fff entry_point = 0x11b70000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\desktop.ini") Region: id = 2146 start_va = 0x3f40000 end_va = 0x3f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f40000" filename = "" Region: id = 2147 start_va = 0x3f80000 end_va = 0x407ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f80000" filename = "" Region: id = 2148 start_va = 0x4080000 end_va = 0x40bffff entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 2149 start_va = 0x40c0000 end_va = 0x41bffff entry_point = 0x0 region_type = private name = "private_0x00000000040c0000" filename = "" Region: id = 2150 start_va = 0x4e50000 end_va = 0x4e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e50000" filename = "" Region: id = 2151 start_va = 0x4e90000 end_va = 0x4f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e90000" filename = "" Region: id = 2152 start_va = 0x4f90000 end_va = 0x4fcffff entry_point = 0x0 region_type = private name = "private_0x0000000004f90000" filename = "" Region: id = 2153 start_va = 0x4fd0000 end_va = 0x50cffff entry_point = 0x0 region_type = private name = "private_0x0000000004fd0000" filename = "" Region: id = 2154 start_va = 0x5350000 end_va = 0x538ffff entry_point = 0x0 region_type = private name = "private_0x0000000005350000" filename = "" Region: id = 2155 start_va = 0x5390000 end_va = 0x548ffff entry_point = 0x0 region_type = private name = "private_0x0000000005390000" filename = "" Region: id = 2156 start_va = 0x7fe41000 end_va = 0x7fe43fff entry_point = 0x0 region_type = private name = "private_0x000000007fe41000" filename = "" Region: id = 2157 start_va = 0x7fe4a000 end_va = 0x7fe4cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe4a000" filename = "" Region: id = 2158 start_va = 0x7fe4d000 end_va = 0x7fe4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fe4d000" filename = "" Region: id = 2159 start_va = 0x7fe6e000 end_va = 0x7fe70fff entry_point = 0x0 region_type = private name = "private_0x000000007fe6e000" filename = "" Region: id = 2160 start_va = 0x7fe71000 end_va = 0x7fe73fff entry_point = 0x0 region_type = private name = "private_0x000000007fe71000" filename = "" Region: id = 2161 start_va = 0x5210000 end_va = 0x521afff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005210000" filename = "" Region: id = 2162 start_va = 0x5210000 end_va = 0x524ffff entry_point = 0x0 region_type = private name = "private_0x0000000005210000" filename = "" Region: id = 2163 start_va = 0x5250000 end_va = 0x534ffff entry_point = 0x0 region_type = private name = "private_0x0000000005250000" filename = "" Region: id = 2164 start_va = 0x7fe44000 end_va = 0x7fe46fff entry_point = 0x0 region_type = private name = "private_0x000000007fe44000" filename = "" Region: id = 2165 start_va = 0x55d0000 end_va = 0x560ffff entry_point = 0x0 region_type = private name = "private_0x00000000055d0000" filename = "" Region: id = 2166 start_va = 0x5610000 end_va = 0x570ffff entry_point = 0x0 region_type = private name = "private_0x0000000005610000" filename = "" Region: id = 2167 start_va = 0x5710000 end_va = 0x5726fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005710000" filename = "" Region: id = 2168 start_va = 0x7fe3b000 end_va = 0x7fe3dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe3b000" filename = "" Region: id = 2169 start_va = 0x5710000 end_va = 0x574ffff entry_point = 0x0 region_type = private name = "private_0x0000000005710000" filename = "" Region: id = 2170 start_va = 0x5750000 end_va = 0x584ffff entry_point = 0x0 region_type = private name = "private_0x0000000005750000" filename = "" Region: id = 2171 start_va = 0x63d0000 end_va = 0x64cffff entry_point = 0x63d0000 region_type = mapped_file name = "integratedoffice.exe id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\integratedoffice.exe id-br3n0g72wub8cejt.lyas") Region: id = 2172 start_va = 0x7fe38000 end_va = 0x7fe3afff entry_point = 0x0 region_type = private name = "private_0x000000007fe38000" filename = "" Region: id = 2173 start_va = 0x64d0000 end_va = 0x64d0fff entry_point = 0x64d0000 region_type = mapped_file name = "desktop.ini" filename = "\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\desktop.ini") Region: id = 2174 start_va = 0x64e0000 end_va = 0x64e3fff entry_point = 0x64e0000 region_type = mapped_file name = "updatesessionorchestration.002.etl id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl id-br3n0g72wub8cejt.lyas") Region: id = 2175 start_va = 0x64f0000 end_va = 0x652ffff entry_point = 0x0 region_type = private name = "private_0x00000000064f0000" filename = "" Region: id = 2176 start_va = 0x6530000 end_va = 0x662ffff entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 2177 start_va = 0x7fe23000 end_va = 0x7fe25fff entry_point = 0x0 region_type = private name = "private_0x000000007fe23000" filename = "" Region: id = 2178 start_va = 0x64d0000 end_va = 0x64d3fff entry_point = 0x64d0000 region_type = mapped_file name = "updatesessionorchestration.004.etl id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl id-br3n0g72wub8cejt.lyas") Region: id = 2179 start_va = 0x64e0000 end_va = 0x64e0fff entry_point = 0x64e0000 region_type = mapped_file name = "readme.txt id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Java\\jre1.8.0_131\\README.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\readme.txt id-br3n0g72wub8cejt.lyas") Region: id = 2180 start_va = 0x6790000 end_va = 0x67cffff entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 2181 start_va = 0x67d0000 end_va = 0x68cffff entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 2182 start_va = 0x6a10000 end_va = 0x6a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a10000" filename = "" Region: id = 2183 start_va = 0x6a50000 end_va = 0x6b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a50000" filename = "" Region: id = 2184 start_va = 0x6c90000 end_va = 0x6ccffff entry_point = 0x0 region_type = private name = "private_0x0000000006c90000" filename = "" Region: id = 2185 start_va = 0x6cd0000 end_va = 0x6dcffff entry_point = 0x0 region_type = private name = "private_0x0000000006cd0000" filename = "" Region: id = 2186 start_va = 0x6dd0000 end_va = 0x6e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006dd0000" filename = "" Region: id = 2187 start_va = 0x6e10000 end_va = 0x6f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006e10000" filename = "" Region: id = 2188 start_va = 0x7fe0e000 end_va = 0x7fe10fff entry_point = 0x0 region_type = private name = "private_0x000000007fe0e000" filename = "" Region: id = 2189 start_va = 0x7fe14000 end_va = 0x7fe16fff entry_point = 0x0 region_type = private name = "private_0x000000007fe14000" filename = "" Region: id = 2190 start_va = 0x7fe1a000 end_va = 0x7fe1cfff entry_point = 0x0 region_type = private name = "private_0x000000007fe1a000" filename = "" Region: id = 2191 start_va = 0x7fe20000 end_va = 0x7fe22fff entry_point = 0x0 region_type = private name = "private_0x000000007fe20000" filename = "" Region: id = 2192 start_va = 0x6f10000 end_va = 0x6f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006f10000" filename = "" Region: id = 2193 start_va = 0x6f50000 end_va = 0x704ffff entry_point = 0x0 region_type = private name = "private_0x0000000006f50000" filename = "" Region: id = 2194 start_va = 0x7050000 end_va = 0x708ffff entry_point = 0x0 region_type = private name = "private_0x0000000007050000" filename = "" Region: id = 2195 start_va = 0x7090000 end_va = 0x718ffff entry_point = 0x0 region_type = private name = "private_0x0000000007090000" filename = "" Region: id = 2196 start_va = 0x9050000 end_va = 0x908ffff entry_point = 0x0 region_type = private name = "private_0x0000000009050000" filename = "" Region: id = 2197 start_va = 0x9090000 end_va = 0x918ffff entry_point = 0x0 region_type = private name = "private_0x0000000009090000" filename = "" Region: id = 2198 start_va = 0x7fe05000 end_va = 0x7fe07fff entry_point = 0x0 region_type = private name = "private_0x000000007fe05000" filename = "" Region: id = 2199 start_va = 0x7fe08000 end_va = 0x7fe0afff entry_point = 0x0 region_type = private name = "private_0x000000007fe08000" filename = "" Region: id = 2200 start_va = 0x7fe0b000 end_va = 0x7fe0dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe0b000" filename = "" Region: id = 2201 start_va = 0xb210000 end_va = 0xb24ffff entry_point = 0x0 region_type = private name = "private_0x000000000b210000" filename = "" Region: id = 2202 start_va = 0xb250000 end_va = 0xb34ffff entry_point = 0x0 region_type = private name = "private_0x000000000b250000" filename = "" Region: id = 2203 start_va = 0xb350000 end_va = 0xb38ffff entry_point = 0x0 region_type = private name = "private_0x000000000b350000" filename = "" Region: id = 2204 start_va = 0xb390000 end_va = 0xb48ffff entry_point = 0x0 region_type = private name = "private_0x000000000b390000" filename = "" Region: id = 2205 start_va = 0xb490000 end_va = 0xb4cffff entry_point = 0x0 region_type = private name = "private_0x000000000b490000" filename = "" Region: id = 2206 start_va = 0xb4d0000 end_va = 0xb5cffff entry_point = 0x0 region_type = private name = "private_0x000000000b4d0000" filename = "" Region: id = 2207 start_va = 0xb5d0000 end_va = 0xb60ffff entry_point = 0x0 region_type = private name = "private_0x000000000b5d0000" filename = "" Region: id = 2208 start_va = 0xb610000 end_va = 0xb70ffff entry_point = 0x0 region_type = private name = "private_0x000000000b610000" filename = "" Region: id = 2209 start_va = 0xb710000 end_va = 0xb74ffff entry_point = 0x0 region_type = private name = "private_0x000000000b710000" filename = "" Region: id = 2210 start_va = 0xb750000 end_va = 0xb84ffff entry_point = 0x0 region_type = private name = "private_0x000000000b750000" filename = "" Region: id = 2211 start_va = 0x11e20000 end_va = 0x11e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000011e20000" filename = "" Region: id = 2212 start_va = 0x11e60000 end_va = 0x11f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000011e60000" filename = "" Region: id = 2213 start_va = 0x11f60000 end_va = 0x11f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000011f60000" filename = "" Region: id = 2214 start_va = 0x11fa0000 end_va = 0x1209ffff entry_point = 0x0 region_type = private name = "private_0x0000000011fa0000" filename = "" Region: id = 2215 start_va = 0x120a0000 end_va = 0x120dffff entry_point = 0x0 region_type = private name = "private_0x00000000120a0000" filename = "" Region: id = 2216 start_va = 0x120e0000 end_va = 0x121dffff entry_point = 0x0 region_type = private name = "private_0x00000000120e0000" filename = "" Region: id = 2217 start_va = 0x129a0000 end_va = 0x129dffff entry_point = 0x0 region_type = private name = "private_0x00000000129a0000" filename = "" Region: id = 2218 start_va = 0x12ce0000 end_va = 0x12ddffff entry_point = 0x0 region_type = private name = "private_0x0000000012ce0000" filename = "" Region: id = 2219 start_va = 0x12de0000 end_va = 0x12e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000012de0000" filename = "" Region: id = 2220 start_va = 0x13e60000 end_va = 0x13f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000013e60000" filename = "" Region: id = 2221 start_va = 0x197a0000 end_va = 0x197dffff entry_point = 0x0 region_type = private name = "private_0x00000000197a0000" filename = "" Region: id = 2222 start_va = 0x197e0000 end_va = 0x198dffff entry_point = 0x0 region_type = private name = "private_0x00000000197e0000" filename = "" Region: id = 2223 start_va = 0x198e0000 end_va = 0x1991ffff entry_point = 0x0 region_type = private name = "private_0x00000000198e0000" filename = "" Region: id = 2224 start_va = 0x19920000 end_va = 0x19a1ffff entry_point = 0x0 region_type = private name = "private_0x0000000019920000" filename = "" Region: id = 2225 start_va = 0x7fc7f000 end_va = 0x7fc81fff entry_point = 0x0 region_type = private name = "private_0x000000007fc7f000" filename = "" Region: id = 2226 start_va = 0x7fc9a000 end_va = 0x7fc9cfff entry_point = 0x0 region_type = private name = "private_0x000000007fc9a000" filename = "" Region: id = 2227 start_va = 0x7fc9d000 end_va = 0x7fc9ffff entry_point = 0x0 region_type = private name = "private_0x000000007fc9d000" filename = "" Region: id = 2228 start_va = 0x7fca0000 end_va = 0x7fca2fff entry_point = 0x0 region_type = private name = "private_0x000000007fca0000" filename = "" Region: id = 2229 start_va = 0x7fca9000 end_va = 0x7fcabfff entry_point = 0x0 region_type = private name = "private_0x000000007fca9000" filename = "" Region: id = 2230 start_va = 0x7fcac000 end_va = 0x7fcaefff entry_point = 0x0 region_type = private name = "private_0x000000007fcac000" filename = "" Region: id = 2231 start_va = 0x7fd6f000 end_va = 0x7fd71fff entry_point = 0x0 region_type = private name = "private_0x000000007fd6f000" filename = "" Region: id = 2232 start_va = 0x7fd72000 end_va = 0x7fd74fff entry_point = 0x0 region_type = private name = "private_0x000000007fd72000" filename = "" Region: id = 2233 start_va = 0x7fd75000 end_va = 0x7fd77fff entry_point = 0x0 region_type = private name = "private_0x000000007fd75000" filename = "" Region: id = 2234 start_va = 0x7fd78000 end_va = 0x7fd7afff entry_point = 0x0 region_type = private name = "private_0x000000007fd78000" filename = "" Region: id = 2235 start_va = 0x7fd7b000 end_va = 0x7fd7dfff entry_point = 0x0 region_type = private name = "private_0x000000007fd7b000" filename = "" Region: id = 2236 start_va = 0x7fdcc000 end_va = 0x7fdcefff entry_point = 0x0 region_type = private name = "private_0x000000007fdcc000" filename = "" Region: id = 2237 start_va = 0x1ce20000 end_va = 0x1ce91fff entry_point = 0x1ce20000 region_type = mapped_file name = "vcredist_x86.exe id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-br3n0g72wub8cejt.lyas") Region: id = 2238 start_va = 0x64e0000 end_va = 0x64e0fff entry_point = 0x64e0000 region_type = mapped_file name = "state.rsm id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-br3n0g72wub8cejt.lyas") Region: id = 2239 start_va = 0x1cea0000 end_va = 0x1cedffff entry_point = 0x0 region_type = private name = "private_0x000000001cea0000" filename = "" Region: id = 2240 start_va = 0x1cee0000 end_va = 0x1cfdffff entry_point = 0x0 region_type = private name = "private_0x000000001cee0000" filename = "" Region: id = 2241 start_va = 0x7fc55000 end_va = 0x7fc57fff entry_point = 0x0 region_type = private name = "private_0x000000007fc55000" filename = "" Region: id = 2242 start_va = 0x6630000 end_va = 0x6630fff entry_point = 0x6630000 region_type = mapped_file name = "state.rsm id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-br3n0g72wub8cejt.lyas") Region: id = 2243 start_va = 0x1ce20000 end_va = 0x1ce5ffff entry_point = 0x0 region_type = private name = "private_0x000000001ce20000" filename = "" Region: id = 2244 start_va = 0x1ce60000 end_va = 0x1ce9ffff entry_point = 0x0 region_type = private name = "private_0x000000001ce60000" filename = "" Region: id = 2245 start_va = 0x1cfe0000 end_va = 0x1d0dffff entry_point = 0x0 region_type = private name = "private_0x000000001cfe0000" filename = "" Region: id = 2246 start_va = 0x1d0e0000 end_va = 0x1d1dffff entry_point = 0x0 region_type = private name = "private_0x000000001d0e0000" filename = "" Region: id = 2247 start_va = 0x1d1e0000 end_va = 0x1d21ffff entry_point = 0x0 region_type = private name = "private_0x000000001d1e0000" filename = "" Region: id = 2248 start_va = 0x1d220000 end_va = 0x1d31ffff entry_point = 0x0 region_type = private name = "private_0x000000001d220000" filename = "" Region: id = 2249 start_va = 0x1d320000 end_va = 0x1d35ffff entry_point = 0x0 region_type = private name = "private_0x000000001d320000" filename = "" Region: id = 2250 start_va = 0x1d360000 end_va = 0x1d45ffff entry_point = 0x0 region_type = private name = "private_0x000000001d360000" filename = "" Region: id = 2251 start_va = 0x1d460000 end_va = 0x1d49ffff entry_point = 0x0 region_type = private name = "private_0x000000001d460000" filename = "" Region: id = 2252 start_va = 0x1d4a0000 end_va = 0x1d59ffff entry_point = 0x0 region_type = private name = "private_0x000000001d4a0000" filename = "" Region: id = 2253 start_va = 0x1d5a0000 end_va = 0x1d5dffff entry_point = 0x0 region_type = private name = "private_0x000000001d5a0000" filename = "" Region: id = 2254 start_va = 0x1d5e0000 end_va = 0x1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000001d5e0000" filename = "" Region: id = 2255 start_va = 0x1d6e0000 end_va = 0x1d71ffff entry_point = 0x0 region_type = private name = "private_0x000000001d6e0000" filename = "" Region: id = 2256 start_va = 0x1d720000 end_va = 0x1d81ffff entry_point = 0x0 region_type = private name = "private_0x000000001d720000" filename = "" Region: id = 2257 start_va = 0x1d820000 end_va = 0x1d85ffff entry_point = 0x0 region_type = private name = "private_0x000000001d820000" filename = "" Region: id = 2258 start_va = 0x1d860000 end_va = 0x1d95ffff entry_point = 0x0 region_type = private name = "private_0x000000001d860000" filename = "" Region: id = 2259 start_va = 0x1d960000 end_va = 0x1d99ffff entry_point = 0x0 region_type = private name = "private_0x000000001d960000" filename = "" Region: id = 2260 start_va = 0x1d9a0000 end_va = 0x1da9ffff entry_point = 0x0 region_type = private name = "private_0x000000001d9a0000" filename = "" Region: id = 2261 start_va = 0x1daa0000 end_va = 0x1dadffff entry_point = 0x0 region_type = private name = "private_0x000000001daa0000" filename = "" Region: id = 2262 start_va = 0x1dae0000 end_va = 0x1dbdffff entry_point = 0x0 region_type = private name = "private_0x000000001dae0000" filename = "" Region: id = 2263 start_va = 0x1dbe0000 end_va = 0x1dc1ffff entry_point = 0x0 region_type = private name = "private_0x000000001dbe0000" filename = "" Region: id = 2264 start_va = 0x1dc20000 end_va = 0x1dd1ffff entry_point = 0x0 region_type = private name = "private_0x000000001dc20000" filename = "" Region: id = 2265 start_va = 0x1dd20000 end_va = 0x1dd5ffff entry_point = 0x0 region_type = private name = "private_0x000000001dd20000" filename = "" Region: id = 2266 start_va = 0x1dd60000 end_va = 0x1de5ffff entry_point = 0x0 region_type = private name = "private_0x000000001dd60000" filename = "" Region: id = 2267 start_va = 0x7fae1000 end_va = 0x7fae3fff entry_point = 0x0 region_type = private name = "private_0x000000007fae1000" filename = "" Region: id = 2268 start_va = 0x7fae4000 end_va = 0x7fae6fff entry_point = 0x0 region_type = private name = "private_0x000000007fae4000" filename = "" Region: id = 2269 start_va = 0x7fae7000 end_va = 0x7fae9fff entry_point = 0x0 region_type = private name = "private_0x000000007fae7000" filename = "" Region: id = 2270 start_va = 0x7faea000 end_va = 0x7faecfff entry_point = 0x0 region_type = private name = "private_0x000000007faea000" filename = "" Region: id = 2271 start_va = 0x7faed000 end_va = 0x7faeffff entry_point = 0x0 region_type = private name = "private_0x000000007faed000" filename = "" Region: id = 2272 start_va = 0x7faf0000 end_va = 0x7faf2fff entry_point = 0x0 region_type = private name = "private_0x000000007faf0000" filename = "" Region: id = 2273 start_va = 0x7faf3000 end_va = 0x7faf5fff entry_point = 0x0 region_type = private name = "private_0x000000007faf3000" filename = "" Region: id = 2274 start_va = 0x7faf6000 end_va = 0x7faf8fff entry_point = 0x0 region_type = private name = "private_0x000000007faf6000" filename = "" Region: id = 2275 start_va = 0x7faf9000 end_va = 0x7fafbfff entry_point = 0x0 region_type = private name = "private_0x000000007faf9000" filename = "" Region: id = 2276 start_va = 0x7fafc000 end_va = 0x7fafefff entry_point = 0x0 region_type = private name = "private_0x000000007fafc000" filename = "" Region: id = 2277 start_va = 0x7fb7a000 end_va = 0x7fb7cfff entry_point = 0x0 region_type = private name = "private_0x000000007fb7a000" filename = "" Region: id = 2278 start_va = 0x7fb7d000 end_va = 0x7fb7ffff entry_point = 0x0 region_type = private name = "private_0x000000007fb7d000" filename = "" Region: id = 2279 start_va = 0x6640000 end_va = 0x6640fff entry_point = 0x6640000 region_type = mapped_file name = "state.rsm id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-br3n0g72wub8cejt.lyas") Region: id = 2280 start_va = 0x1de60000 end_va = 0x1ded1fff entry_point = 0x1de60000 region_type = mapped_file name = "vcredist_x64.exe id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-br3n0g72wub8cejt.lyas") Region: id = 2281 start_va = 0x6640000 end_va = 0x6640fff entry_point = 0x6640000 region_type = mapped_file name = "state.rsm id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-br3n0g72wub8cejt.lyas") Region: id = 2282 start_va = 0x1dee0000 end_va = 0x1df1ffff entry_point = 0x0 region_type = private name = "private_0x000000001dee0000" filename = "" Region: id = 2283 start_va = 0x1df20000 end_va = 0x1e01ffff entry_point = 0x0 region_type = private name = "private_0x000000001df20000" filename = "" Region: id = 2284 start_va = 0x1e020000 end_va = 0x1e05ffff entry_point = 0x0 region_type = private name = "private_0x000000001e020000" filename = "" Region: id = 2285 start_va = 0x1e060000 end_va = 0x1e15ffff entry_point = 0x0 region_type = private name = "private_0x000000001e060000" filename = "" Region: id = 2286 start_va = 0x7fadb000 end_va = 0x7faddfff entry_point = 0x0 region_type = private name = "private_0x000000007fadb000" filename = "" Region: id = 2287 start_va = 0x7fade000 end_va = 0x7fae0fff entry_point = 0x0 region_type = private name = "private_0x000000007fade000" filename = "" Region: id = 2288 start_va = 0x1e160000 end_va = 0x1e1e1fff entry_point = 0x1e160000 region_type = mapped_file name = "vc_redist.x86.exe id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\vc_redist.x86.exe id-br3n0g72wub8cejt.lyas") Region: id = 2289 start_va = 0x1e1f0000 end_va = 0x1e25ffff entry_point = 0x1e1f0000 region_type = mapped_file name = "vcredist_x86.exe id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-br3n0g72wub8cejt.lyas") Region: id = 2290 start_va = 0x1e260000 end_va = 0x1e29ffff entry_point = 0x0 region_type = private name = "private_0x000000001e260000" filename = "" Region: id = 2291 start_va = 0x1e2a0000 end_va = 0x1e39ffff entry_point = 0x0 region_type = private name = "private_0x000000001e2a0000" filename = "" Region: id = 2292 start_va = 0x1e3a0000 end_va = 0x1e3dffff entry_point = 0x0 region_type = private name = "private_0x000000001e3a0000" filename = "" Region: id = 2293 start_va = 0x1e3e0000 end_va = 0x1e4dffff entry_point = 0x0 region_type = private name = "private_0x000000001e3e0000" filename = "" Region: id = 2294 start_va = 0x1e4e0000 end_va = 0x1e51ffff entry_point = 0x0 region_type = private name = "private_0x000000001e4e0000" filename = "" Region: id = 2295 start_va = 0x1e520000 end_va = 0x1e61ffff entry_point = 0x0 region_type = private name = "private_0x000000001e520000" filename = "" Region: id = 2296 start_va = 0x1e620000 end_va = 0x1e65ffff entry_point = 0x0 region_type = private name = "private_0x000000001e620000" filename = "" Region: id = 2297 start_va = 0x1e660000 end_va = 0x1e75ffff entry_point = 0x0 region_type = private name = "private_0x000000001e660000" filename = "" Region: id = 2298 start_va = 0x1e760000 end_va = 0x1e79ffff entry_point = 0x0 region_type = private name = "private_0x000000001e760000" filename = "" Region: id = 2299 start_va = 0x1e7a0000 end_va = 0x1e89ffff entry_point = 0x0 region_type = private name = "private_0x000000001e7a0000" filename = "" Region: id = 2300 start_va = 0x1e8a0000 end_va = 0x1e8dffff entry_point = 0x0 region_type = private name = "private_0x000000001e8a0000" filename = "" Region: id = 2301 start_va = 0x1e8e0000 end_va = 0x1e9dffff entry_point = 0x0 region_type = private name = "private_0x000000001e8e0000" filename = "" Region: id = 2302 start_va = 0x1e9e0000 end_va = 0x1ea1ffff entry_point = 0x0 region_type = private name = "private_0x000000001e9e0000" filename = "" Region: id = 2303 start_va = 0x1ea20000 end_va = 0x1eb1ffff entry_point = 0x0 region_type = private name = "private_0x000000001ea20000" filename = "" Region: id = 2304 start_va = 0x1eb20000 end_va = 0x1eb5ffff entry_point = 0x0 region_type = private name = "private_0x000000001eb20000" filename = "" Region: id = 2305 start_va = 0x1eb60000 end_va = 0x1ec5ffff entry_point = 0x0 region_type = private name = "private_0x000000001eb60000" filename = "" Region: id = 2306 start_va = 0x1ec60000 end_va = 0x1ec9ffff entry_point = 0x0 region_type = private name = "private_0x000000001ec60000" filename = "" Region: id = 2307 start_va = 0x1eca0000 end_va = 0x1ed9ffff entry_point = 0x0 region_type = private name = "private_0x000000001eca0000" filename = "" Region: id = 2308 start_va = 0x1eda0000 end_va = 0x1eddffff entry_point = 0x0 region_type = private name = "private_0x000000001eda0000" filename = "" Region: id = 2309 start_va = 0x1ede0000 end_va = 0x1eedffff entry_point = 0x0 region_type = private name = "private_0x000000001ede0000" filename = "" Region: id = 2310 start_va = 0x1eee0000 end_va = 0x1ef1ffff entry_point = 0x0 region_type = private name = "private_0x000000001eee0000" filename = "" Region: id = 2311 start_va = 0x1ef20000 end_va = 0x1f01ffff entry_point = 0x0 region_type = private name = "private_0x000000001ef20000" filename = "" Region: id = 2312 start_va = 0x1f020000 end_va = 0x1f05ffff entry_point = 0x0 region_type = private name = "private_0x000000001f020000" filename = "" Region: id = 2313 start_va = 0x1f060000 end_va = 0x1f15ffff entry_point = 0x0 region_type = private name = "private_0x000000001f060000" filename = "" Region: id = 2314 start_va = 0x1f160000 end_va = 0x1f19ffff entry_point = 0x0 region_type = private name = "private_0x000000001f160000" filename = "" Region: id = 2315 start_va = 0x1f1a0000 end_va = 0x1f29ffff entry_point = 0x0 region_type = private name = "private_0x000000001f1a0000" filename = "" Region: id = 2316 start_va = 0x7fab4000 end_va = 0x7fab6fff entry_point = 0x0 region_type = private name = "private_0x000000007fab4000" filename = "" Region: id = 2317 start_va = 0x7fab7000 end_va = 0x7fab9fff entry_point = 0x0 region_type = private name = "private_0x000000007fab7000" filename = "" Region: id = 2318 start_va = 0x7faba000 end_va = 0x7fabcfff entry_point = 0x0 region_type = private name = "private_0x000000007faba000" filename = "" Region: id = 2319 start_va = 0x7fabd000 end_va = 0x7fabffff entry_point = 0x0 region_type = private name = "private_0x000000007fabd000" filename = "" Region: id = 2320 start_va = 0x7fac0000 end_va = 0x7fac2fff entry_point = 0x0 region_type = private name = "private_0x000000007fac0000" filename = "" Region: id = 2321 start_va = 0x7fac3000 end_va = 0x7fac5fff entry_point = 0x0 region_type = private name = "private_0x000000007fac3000" filename = "" Region: id = 2322 start_va = 0x7fac6000 end_va = 0x7fac8fff entry_point = 0x0 region_type = private name = "private_0x000000007fac6000" filename = "" Region: id = 2323 start_va = 0x7fac9000 end_va = 0x7facbfff entry_point = 0x0 region_type = private name = "private_0x000000007fac9000" filename = "" Region: id = 2324 start_va = 0x7facc000 end_va = 0x7facefff entry_point = 0x0 region_type = private name = "private_0x000000007facc000" filename = "" Region: id = 2325 start_va = 0x7facf000 end_va = 0x7fad1fff entry_point = 0x0 region_type = private name = "private_0x000000007facf000" filename = "" Region: id = 2326 start_va = 0x7fad2000 end_va = 0x7fad4fff entry_point = 0x0 region_type = private name = "private_0x000000007fad2000" filename = "" Region: id = 2327 start_va = 0x7fad5000 end_va = 0x7fad7fff entry_point = 0x0 region_type = private name = "private_0x000000007fad5000" filename = "" Region: id = 2328 start_va = 0x7fad8000 end_va = 0x7fadafff entry_point = 0x0 region_type = private name = "private_0x000000007fad8000" filename = "" Region: id = 2329 start_va = 0x1f2a0000 end_va = 0x1f2dffff entry_point = 0x0 region_type = private name = "private_0x000000001f2a0000" filename = "" Region: id = 2330 start_va = 0x1f2e0000 end_va = 0x1f3dffff entry_point = 0x0 region_type = private name = "private_0x000000001f2e0000" filename = "" Region: id = 2331 start_va = 0x7fab1000 end_va = 0x7fab3fff entry_point = 0x0 region_type = private name = "private_0x000000007fab1000" filename = "" Region: id = 2332 start_va = 0x1f3e0000 end_va = 0x1f41ffff entry_point = 0x0 region_type = private name = "private_0x000000001f3e0000" filename = "" Region: id = 2333 start_va = 0x1f420000 end_va = 0x1f51ffff entry_point = 0x0 region_type = private name = "private_0x000000001f420000" filename = "" Region: id = 2334 start_va = 0x7faae000 end_va = 0x7fab0fff entry_point = 0x0 region_type = private name = "private_0x000000007faae000" filename = "" Region: id = 2335 start_va = 0x1f520000 end_va = 0x1f55ffff entry_point = 0x0 region_type = private name = "private_0x000000001f520000" filename = "" Region: id = 2336 start_va = 0x1f560000 end_va = 0x1f65ffff entry_point = 0x0 region_type = private name = "private_0x000000001f560000" filename = "" Region: id = 2337 start_va = 0x7faab000 end_va = 0x7faadfff entry_point = 0x0 region_type = private name = "private_0x000000007faab000" filename = "" Region: id = 2338 start_va = 0x1f660000 end_va = 0x1f69ffff entry_point = 0x0 region_type = private name = "private_0x000000001f660000" filename = "" Region: id = 2339 start_va = 0x1f6a0000 end_va = 0x1f79ffff entry_point = 0x0 region_type = private name = "private_0x000000001f6a0000" filename = "" Region: id = 2340 start_va = 0x7faa8000 end_va = 0x7faaafff entry_point = 0x0 region_type = private name = "private_0x000000007faa8000" filename = "" Region: id = 2341 start_va = 0x1f7a0000 end_va = 0x1f7dffff entry_point = 0x0 region_type = private name = "private_0x000000001f7a0000" filename = "" Region: id = 2342 start_va = 0x1f7e0000 end_va = 0x1f8dffff entry_point = 0x0 region_type = private name = "private_0x000000001f7e0000" filename = "" Region: id = 2343 start_va = 0x7faa5000 end_va = 0x7faa7fff entry_point = 0x0 region_type = private name = "private_0x000000007faa5000" filename = "" Region: id = 2344 start_va = 0x1f8e0000 end_va = 0x1f91ffff entry_point = 0x0 region_type = private name = "private_0x000000001f8e0000" filename = "" Region: id = 2345 start_va = 0x1f920000 end_va = 0x1fa1ffff entry_point = 0x0 region_type = private name = "private_0x000000001f920000" filename = "" Region: id = 2346 start_va = 0x7faa2000 end_va = 0x7faa4fff entry_point = 0x0 region_type = private name = "private_0x000000007faa2000" filename = "" Region: id = 2347 start_va = 0x1fa20000 end_va = 0x1fa5ffff entry_point = 0x0 region_type = private name = "private_0x000000001fa20000" filename = "" Region: id = 2348 start_va = 0x1fa60000 end_va = 0x1fb5ffff entry_point = 0x0 region_type = private name = "private_0x000000001fa60000" filename = "" Region: id = 2349 start_va = 0x7fa9f000 end_va = 0x7faa1fff entry_point = 0x0 region_type = private name = "private_0x000000007fa9f000" filename = "" Region: id = 2350 start_va = 0x1fb60000 end_va = 0x1fb9ffff entry_point = 0x0 region_type = private name = "private_0x000000001fb60000" filename = "" Region: id = 2351 start_va = 0x1fba0000 end_va = 0x1fc9ffff entry_point = 0x0 region_type = private name = "private_0x000000001fba0000" filename = "" Region: id = 2352 start_va = 0x7fa9c000 end_va = 0x7fa9efff entry_point = 0x0 region_type = private name = "private_0x000000007fa9c000" filename = "" Region: id = 2353 start_va = 0x1fca0000 end_va = 0x1fcdffff entry_point = 0x0 region_type = private name = "private_0x000000001fca0000" filename = "" Region: id = 2354 start_va = 0x1fce0000 end_va = 0x1fddffff entry_point = 0x0 region_type = private name = "private_0x000000001fce0000" filename = "" Region: id = 2355 start_va = 0x1fde0000 end_va = 0x1fe1ffff entry_point = 0x0 region_type = private name = "private_0x000000001fde0000" filename = "" Region: id = 2356 start_va = 0x1fe20000 end_va = 0x1ff1ffff entry_point = 0x0 region_type = private name = "private_0x000000001fe20000" filename = "" Region: id = 2357 start_va = 0x1ff20000 end_va = 0x1ff5ffff entry_point = 0x0 region_type = private name = "private_0x000000001ff20000" filename = "" Region: id = 2358 start_va = 0x1ff60000 end_va = 0x2005ffff entry_point = 0x0 region_type = private name = "private_0x000000001ff60000" filename = "" Region: id = 2359 start_va = 0x20060000 end_va = 0x2009ffff entry_point = 0x0 region_type = private name = "private_0x0000000020060000" filename = "" Region: id = 2360 start_va = 0x200a0000 end_va = 0x2019ffff entry_point = 0x0 region_type = private name = "private_0x00000000200a0000" filename = "" Region: id = 2361 start_va = 0x7fa90000 end_va = 0x7fa92fff entry_point = 0x0 region_type = private name = "private_0x000000007fa90000" filename = "" Region: id = 2362 start_va = 0x7fa93000 end_va = 0x7fa95fff entry_point = 0x0 region_type = private name = "private_0x000000007fa93000" filename = "" Region: id = 2363 start_va = 0x7fa96000 end_va = 0x7fa98fff entry_point = 0x0 region_type = private name = "private_0x000000007fa96000" filename = "" Region: id = 2364 start_va = 0x7fa99000 end_va = 0x7fa9bfff entry_point = 0x0 region_type = private name = "private_0x000000007fa99000" filename = "" Region: id = 2365 start_va = 0x201a0000 end_va = 0x201dffff entry_point = 0x0 region_type = private name = "private_0x00000000201a0000" filename = "" Region: id = 2366 start_va = 0x201e0000 end_va = 0x202dffff entry_point = 0x0 region_type = private name = "private_0x00000000201e0000" filename = "" Region: id = 2367 start_va = 0x7fa8d000 end_va = 0x7fa8ffff entry_point = 0x0 region_type = private name = "private_0x000000007fa8d000" filename = "" Region: id = 2368 start_va = 0x202e0000 end_va = 0x2031ffff entry_point = 0x0 region_type = private name = "private_0x00000000202e0000" filename = "" Region: id = 2369 start_va = 0x20320000 end_va = 0x2041ffff entry_point = 0x0 region_type = private name = "private_0x0000000020320000" filename = "" Region: id = 2370 start_va = 0x7fa8a000 end_va = 0x7fa8cfff entry_point = 0x0 region_type = private name = "private_0x000000007fa8a000" filename = "" Region: id = 2371 start_va = 0x20420000 end_va = 0x2045ffff entry_point = 0x0 region_type = private name = "private_0x0000000020420000" filename = "" Region: id = 2372 start_va = 0x20460000 end_va = 0x2055ffff entry_point = 0x0 region_type = private name = "private_0x0000000020460000" filename = "" Region: id = 2373 start_va = 0x7fa87000 end_va = 0x7fa89fff entry_point = 0x0 region_type = private name = "private_0x000000007fa87000" filename = "" Region: id = 2374 start_va = 0x20560000 end_va = 0x2059ffff entry_point = 0x0 region_type = private name = "private_0x0000000020560000" filename = "" Region: id = 2375 start_va = 0x205a0000 end_va = 0x2069ffff entry_point = 0x0 region_type = private name = "private_0x00000000205a0000" filename = "" Region: id = 2376 start_va = 0x7fa84000 end_va = 0x7fa86fff entry_point = 0x0 region_type = private name = "private_0x000000007fa84000" filename = "" Region: id = 2377 start_va = 0x206a0000 end_va = 0x206dffff entry_point = 0x0 region_type = private name = "private_0x00000000206a0000" filename = "" Region: id = 2378 start_va = 0x206e0000 end_va = 0x207dffff entry_point = 0x0 region_type = private name = "private_0x00000000206e0000" filename = "" Region: id = 2379 start_va = 0x7fa81000 end_va = 0x7fa83fff entry_point = 0x0 region_type = private name = "private_0x000000007fa81000" filename = "" Region: id = 2380 start_va = 0x207e0000 end_va = 0x2081ffff entry_point = 0x0 region_type = private name = "private_0x00000000207e0000" filename = "" Region: id = 2381 start_va = 0x20820000 end_va = 0x2091ffff entry_point = 0x0 region_type = private name = "private_0x0000000020820000" filename = "" Region: id = 2382 start_va = 0x7fa7e000 end_va = 0x7fa80fff entry_point = 0x0 region_type = private name = "private_0x000000007fa7e000" filename = "" Region: id = 2383 start_va = 0x20920000 end_va = 0x2095ffff entry_point = 0x0 region_type = private name = "private_0x0000000020920000" filename = "" Region: id = 2384 start_va = 0x20960000 end_va = 0x20a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000020960000" filename = "" Region: id = 2385 start_va = 0x7fa7b000 end_va = 0x7fa7dfff entry_point = 0x0 region_type = private name = "private_0x000000007fa7b000" filename = "" Region: id = 2386 start_va = 0x6630000 end_va = 0x6634fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006630000" filename = "" Region: id = 2387 start_va = 0x6630000 end_va = 0x6634fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006630000" filename = "" Region: id = 2388 start_va = 0x6630000 end_va = 0x6634fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006630000" filename = "" Region: id = 2389 start_va = 0x6630000 end_va = 0x6634fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006630000" filename = "" Region: id = 2390 start_va = 0x6630000 end_va = 0x6634fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006630000" filename = "" Region: id = 2391 start_va = 0x6640000 end_va = 0x6640fff entry_point = 0x6640000 region_type = mapped_file name = "desktop.ini id-br3n0g72wub8cejt.lyas" filename = "\\Users\\Public\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\pictures\\desktop.ini id-br3n0g72wub8cejt.lyas") Region: id = 2392 start_va = 0xf590000 end_va = 0xf590fff entry_point = 0xf590000 region_type = mapped_file name = "desktop.ini id-br3n0g72wub8cejt.lyas" filename = "\\Users\\Public\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\music\\desktop.ini id-br3n0g72wub8cejt.lyas") Region: id = 2393 start_va = 0xf590000 end_va = 0xf5cffff entry_point = 0x0 region_type = private name = "private_0x000000000f590000" filename = "" Region: id = 2394 start_va = 0x20a60000 end_va = 0x20b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000020a60000" filename = "" Region: id = 2395 start_va = 0x7fa78000 end_va = 0x7fa7afff entry_point = 0x0 region_type = private name = "private_0x000000007fa78000" filename = "" Region: id = 2396 start_va = 0xf5d0000 end_va = 0xf60ffff entry_point = 0x0 region_type = private name = "private_0x000000000f5d0000" filename = "" Region: id = 2397 start_va = 0x20b60000 end_va = 0x20c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000020b60000" filename = "" Region: id = 2398 start_va = 0x7fa75000 end_va = 0x7fa77fff entry_point = 0x0 region_type = private name = "private_0x000000007fa75000" filename = "" Region: id = 2399 start_va = 0xf610000 end_va = 0xf64ffff entry_point = 0x0 region_type = private name = "private_0x000000000f610000" filename = "" Region: id = 2400 start_va = 0x20c60000 end_va = 0x20d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000020c60000" filename = "" Region: id = 2401 start_va = 0x20d60000 end_va = 0x21d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000020d60000" filename = "" Region: id = 2402 start_va = 0x7fa72000 end_va = 0x7fa74fff entry_point = 0x0 region_type = private name = "private_0x000000007fa72000" filename = "" Region: id = 2403 start_va = 0xf650000 end_va = 0xf68ffff entry_point = 0x0 region_type = private name = "private_0x000000000f650000" filename = "" Region: id = 2404 start_va = 0x21d30000 end_va = 0x21e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000021d30000" filename = "" Region: id = 2405 start_va = 0x21e30000 end_va = 0x21e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000021e30000" filename = "" Region: id = 2406 start_va = 0x21e70000 end_va = 0x21f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000021e70000" filename = "" Region: id = 2407 start_va = 0x21f70000 end_va = 0x21faffff entry_point = 0x0 region_type = private name = "private_0x0000000021f70000" filename = "" Region: id = 2408 start_va = 0x21fb0000 end_va = 0x220affff entry_point = 0x0 region_type = private name = "private_0x0000000021fb0000" filename = "" Region: id = 2409 start_va = 0x7fa69000 end_va = 0x7fa6bfff entry_point = 0x0 region_type = private name = "private_0x000000007fa69000" filename = "" Region: id = 2410 start_va = 0x7fa6c000 end_va = 0x7fa6efff entry_point = 0x0 region_type = private name = "private_0x000000007fa6c000" filename = "" Region: id = 2411 start_va = 0x7fa6f000 end_va = 0x7fa71fff entry_point = 0x0 region_type = private name = "private_0x000000007fa6f000" filename = "" Region: id = 2412 start_va = 0x220b0000 end_va = 0x220effff entry_point = 0x0 region_type = private name = "private_0x00000000220b0000" filename = "" Region: id = 2413 start_va = 0x220f0000 end_va = 0x221effff entry_point = 0x0 region_type = private name = "private_0x00000000220f0000" filename = "" Region: id = 2414 start_va = 0x7fa66000 end_va = 0x7fa68fff entry_point = 0x0 region_type = private name = "private_0x000000007fa66000" filename = "" Region: id = 2415 start_va = 0x221f0000 end_va = 0x2222ffff entry_point = 0x0 region_type = private name = "private_0x00000000221f0000" filename = "" Region: id = 2416 start_va = 0x22230000 end_va = 0x2232ffff entry_point = 0x0 region_type = private name = "private_0x0000000022230000" filename = "" Region: id = 2417 start_va = 0x7fa63000 end_va = 0x7fa65fff entry_point = 0x0 region_type = private name = "private_0x000000007fa63000" filename = "" Region: id = 2418 start_va = 0x22330000 end_va = 0x2236ffff entry_point = 0x0 region_type = private name = "private_0x0000000022330000" filename = "" Region: id = 2419 start_va = 0x22370000 end_va = 0x2246ffff entry_point = 0x0 region_type = private name = "private_0x0000000022370000" filename = "" Region: id = 2420 start_va = 0x7fa60000 end_va = 0x7fa62fff entry_point = 0x0 region_type = private name = "private_0x000000007fa60000" filename = "" Region: id = 2421 start_va = 0x22470000 end_va = 0x224affff entry_point = 0x0 region_type = private name = "private_0x0000000022470000" filename = "" Region: id = 2422 start_va = 0x224b0000 end_va = 0x225affff entry_point = 0x0 region_type = private name = "private_0x00000000224b0000" filename = "" Region: id = 2423 start_va = 0x7fa5d000 end_va = 0x7fa5ffff entry_point = 0x0 region_type = private name = "private_0x000000007fa5d000" filename = "" Region: id = 2424 start_va = 0x225b0000 end_va = 0x225effff entry_point = 0x0 region_type = private name = "private_0x00000000225b0000" filename = "" Region: id = 2425 start_va = 0x225f0000 end_va = 0x226effff entry_point = 0x0 region_type = private name = "private_0x00000000225f0000" filename = "" Region: id = 2426 start_va = 0x7fa5a000 end_va = 0x7fa5cfff entry_point = 0x0 region_type = private name = "private_0x000000007fa5a000" filename = "" Region: id = 2427 start_va = 0x226f0000 end_va = 0x2272ffff entry_point = 0x0 region_type = private name = "private_0x00000000226f0000" filename = "" Region: id = 2428 start_va = 0x22730000 end_va = 0x2282ffff entry_point = 0x0 region_type = private name = "private_0x0000000022730000" filename = "" Region: id = 2429 start_va = 0x7fa57000 end_va = 0x7fa59fff entry_point = 0x0 region_type = private name = "private_0x000000007fa57000" filename = "" Region: id = 2430 start_va = 0x22830000 end_va = 0x2286ffff entry_point = 0x0 region_type = private name = "private_0x0000000022830000" filename = "" Region: id = 2431 start_va = 0x22870000 end_va = 0x2296ffff entry_point = 0x0 region_type = private name = "private_0x0000000022870000" filename = "" Region: id = 2432 start_va = 0x22970000 end_va = 0x229affff entry_point = 0x0 region_type = private name = "private_0x0000000022970000" filename = "" Region: id = 2433 start_va = 0x229b0000 end_va = 0x22aaffff entry_point = 0x0 region_type = private name = "private_0x00000000229b0000" filename = "" Region: id = 2434 start_va = 0x22ab0000 end_va = 0x22aeffff entry_point = 0x0 region_type = private name = "private_0x0000000022ab0000" filename = "" Region: id = 2435 start_va = 0x22af0000 end_va = 0x22beffff entry_point = 0x0 region_type = private name = "private_0x0000000022af0000" filename = "" Region: id = 2436 start_va = 0x22bf0000 end_va = 0x22c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000022bf0000" filename = "" Region: id = 2437 start_va = 0x22c30000 end_va = 0x22d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000022c30000" filename = "" Region: id = 2438 start_va = 0x7fa4b000 end_va = 0x7fa4dfff entry_point = 0x0 region_type = private name = "private_0x000000007fa4b000" filename = "" Region: id = 2439 start_va = 0x7fa4e000 end_va = 0x7fa50fff entry_point = 0x0 region_type = private name = "private_0x000000007fa4e000" filename = "" Region: id = 2440 start_va = 0x7fa51000 end_va = 0x7fa53fff entry_point = 0x0 region_type = private name = "private_0x000000007fa51000" filename = "" Region: id = 2441 start_va = 0x7fa54000 end_va = 0x7fa56fff entry_point = 0x0 region_type = private name = "private_0x000000007fa54000" filename = "" Region: id = 2442 start_va = 0x22d30000 end_va = 0x22d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000022d30000" filename = "" Region: id = 2443 start_va = 0x22d70000 end_va = 0x22e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000022d70000" filename = "" Region: id = 2444 start_va = 0x7fa48000 end_va = 0x7fa4afff entry_point = 0x0 region_type = private name = "private_0x000000007fa48000" filename = "" Region: id = 2445 start_va = 0x22e70000 end_va = 0x22eaffff entry_point = 0x0 region_type = private name = "private_0x0000000022e70000" filename = "" Region: id = 2446 start_va = 0x22eb0000 end_va = 0x22faffff entry_point = 0x0 region_type = private name = "private_0x0000000022eb0000" filename = "" Region: id = 2447 start_va = 0x7fa45000 end_va = 0x7fa47fff entry_point = 0x0 region_type = private name = "private_0x000000007fa45000" filename = "" Region: id = 2448 start_va = 0x22fb0000 end_va = 0x22feffff entry_point = 0x0 region_type = private name = "private_0x0000000022fb0000" filename = "" Region: id = 2449 start_va = 0x22ff0000 end_va = 0x230effff entry_point = 0x0 region_type = private name = "private_0x0000000022ff0000" filename = "" Region: id = 2450 start_va = 0x7fa42000 end_va = 0x7fa44fff entry_point = 0x0 region_type = private name = "private_0x000000007fa42000" filename = "" Region: id = 2451 start_va = 0x230f0000 end_va = 0x2312ffff entry_point = 0x0 region_type = private name = "private_0x00000000230f0000" filename = "" Region: id = 2452 start_va = 0x23130000 end_va = 0x2322ffff entry_point = 0x0 region_type = private name = "private_0x0000000023130000" filename = "" Region: id = 2453 start_va = 0x7fa3f000 end_va = 0x7fa41fff entry_point = 0x0 region_type = private name = "private_0x000000007fa3f000" filename = "" Region: id = 2454 start_va = 0x23230000 end_va = 0x2326ffff entry_point = 0x0 region_type = private name = "private_0x0000000023230000" filename = "" Region: id = 2455 start_va = 0x23270000 end_va = 0x2336ffff entry_point = 0x0 region_type = private name = "private_0x0000000023270000" filename = "" Region: id = 2456 start_va = 0x23370000 end_va = 0x233affff entry_point = 0x0 region_type = private name = "private_0x0000000023370000" filename = "" Region: id = 2457 start_va = 0x233b0000 end_va = 0x234affff entry_point = 0x0 region_type = private name = "private_0x00000000233b0000" filename = "" Region: id = 2458 start_va = 0x7fa39000 end_va = 0x7fa3bfff entry_point = 0x0 region_type = private name = "private_0x000000007fa39000" filename = "" Region: id = 2459 start_va = 0x7fa3c000 end_va = 0x7fa3efff entry_point = 0x0 region_type = private name = "private_0x000000007fa3c000" filename = "" Region: id = 2460 start_va = 0x234b0000 end_va = 0x234effff entry_point = 0x0 region_type = private name = "private_0x00000000234b0000" filename = "" Region: id = 2461 start_va = 0x234f0000 end_va = 0x235effff entry_point = 0x0 region_type = private name = "private_0x00000000234f0000" filename = "" Region: id = 2462 start_va = 0x7fa36000 end_va = 0x7fa38fff entry_point = 0x0 region_type = private name = "private_0x000000007fa36000" filename = "" Region: id = 2463 start_va = 0x235f0000 end_va = 0x2362ffff entry_point = 0x0 region_type = private name = "private_0x00000000235f0000" filename = "" Region: id = 2464 start_va = 0x23630000 end_va = 0x2372ffff entry_point = 0x0 region_type = private name = "private_0x0000000023630000" filename = "" Region: id = 2465 start_va = 0x23730000 end_va = 0x2376ffff entry_point = 0x0 region_type = private name = "private_0x0000000023730000" filename = "" Region: id = 2466 start_va = 0x23770000 end_va = 0x2386ffff entry_point = 0x0 region_type = private name = "private_0x0000000023770000" filename = "" Region: id = 2467 start_va = 0x23870000 end_va = 0x238affff entry_point = 0x0 region_type = private name = "private_0x0000000023870000" filename = "" Region: id = 2468 start_va = 0x238b0000 end_va = 0x239affff entry_point = 0x0 region_type = private name = "private_0x00000000238b0000" filename = "" Region: id = 2469 start_va = 0x239b0000 end_va = 0x239effff entry_point = 0x0 region_type = private name = "private_0x00000000239b0000" filename = "" Region: id = 2470 start_va = 0x239f0000 end_va = 0x23aeffff entry_point = 0x0 region_type = private name = "private_0x00000000239f0000" filename = "" Region: id = 2471 start_va = 0x7fa2a000 end_va = 0x7fa2cfff entry_point = 0x0 region_type = private name = "private_0x000000007fa2a000" filename = "" Region: id = 2472 start_va = 0x7fa2d000 end_va = 0x7fa2ffff entry_point = 0x0 region_type = private name = "private_0x000000007fa2d000" filename = "" Region: id = 2473 start_va = 0x7fa30000 end_va = 0x7fa32fff entry_point = 0x0 region_type = private name = "private_0x000000007fa30000" filename = "" Region: id = 2474 start_va = 0x7fa33000 end_va = 0x7fa35fff entry_point = 0x0 region_type = private name = "private_0x000000007fa33000" filename = "" Region: id = 2475 start_va = 0x23af0000 end_va = 0x23b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000023af0000" filename = "" Region: id = 2476 start_va = 0x23b30000 end_va = 0x23c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000023b30000" filename = "" Region: id = 2477 start_va = 0x7fa27000 end_va = 0x7fa29fff entry_point = 0x0 region_type = private name = "private_0x000000007fa27000" filename = "" Region: id = 2478 start_va = 0x23c30000 end_va = 0x23c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000023c30000" filename = "" Region: id = 2479 start_va = 0x23c70000 end_va = 0x23d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000023c70000" filename = "" Region: id = 2480 start_va = 0x7fa24000 end_va = 0x7fa26fff entry_point = 0x0 region_type = private name = "private_0x000000007fa24000" filename = "" Region: id = 2481 start_va = 0x23d70000 end_va = 0x23daffff entry_point = 0x0 region_type = private name = "private_0x0000000023d70000" filename = "" Region: id = 2482 start_va = 0x23db0000 end_va = 0x23eaffff entry_point = 0x0 region_type = private name = "private_0x0000000023db0000" filename = "" Region: id = 2483 start_va = 0x7fa21000 end_va = 0x7fa23fff entry_point = 0x0 region_type = private name = "private_0x000000007fa21000" filename = "" Region: id = 2484 start_va = 0x23eb0000 end_va = 0x23eeffff entry_point = 0x0 region_type = private name = "private_0x0000000023eb0000" filename = "" Region: id = 2485 start_va = 0x23ef0000 end_va = 0x23feffff entry_point = 0x0 region_type = private name = "private_0x0000000023ef0000" filename = "" Region: id = 2486 start_va = 0x23ff0000 end_va = 0x2402ffff entry_point = 0x0 region_type = private name = "private_0x0000000023ff0000" filename = "" Region: id = 2487 start_va = 0x24030000 end_va = 0x2412ffff entry_point = 0x0 region_type = private name = "private_0x0000000024030000" filename = "" Region: id = 2488 start_va = 0x7fa1b000 end_va = 0x7fa1dfff entry_point = 0x0 region_type = private name = "private_0x000000007fa1b000" filename = "" Region: id = 2489 start_va = 0x7fa1e000 end_va = 0x7fa20fff entry_point = 0x0 region_type = private name = "private_0x000000007fa1e000" filename = "" Region: id = 2490 start_va = 0x24130000 end_va = 0x2416ffff entry_point = 0x0 region_type = private name = "private_0x0000000024130000" filename = "" Region: id = 2491 start_va = 0x24170000 end_va = 0x2426ffff entry_point = 0x0 region_type = private name = "private_0x0000000024170000" filename = "" Region: id = 2492 start_va = 0x24270000 end_va = 0x242affff entry_point = 0x0 region_type = private name = "private_0x0000000024270000" filename = "" Region: id = 2493 start_va = 0x242b0000 end_va = 0x243affff entry_point = 0x0 region_type = private name = "private_0x00000000242b0000" filename = "" Region: id = 2494 start_va = 0x7fa15000 end_va = 0x7fa17fff entry_point = 0x0 region_type = private name = "private_0x000000007fa15000" filename = "" Region: id = 2495 start_va = 0x7fa18000 end_va = 0x7fa1afff entry_point = 0x0 region_type = private name = "private_0x000000007fa18000" filename = "" Region: id = 2496 start_va = 0x243b0000 end_va = 0x243effff entry_point = 0x0 region_type = private name = "private_0x00000000243b0000" filename = "" Region: id = 2497 start_va = 0x243f0000 end_va = 0x244effff entry_point = 0x0 region_type = private name = "private_0x00000000243f0000" filename = "" Region: id = 2498 start_va = 0x7fa12000 end_va = 0x7fa14fff entry_point = 0x0 region_type = private name = "private_0x000000007fa12000" filename = "" Region: id = 2499 start_va = 0x244f0000 end_va = 0x2452ffff entry_point = 0x0 region_type = private name = "private_0x00000000244f0000" filename = "" Region: id = 2500 start_va = 0x24530000 end_va = 0x2462ffff entry_point = 0x0 region_type = private name = "private_0x0000000024530000" filename = "" Region: id = 2501 start_va = 0x7fa0f000 end_va = 0x7fa11fff entry_point = 0x0 region_type = private name = "private_0x000000007fa0f000" filename = "" Region: id = 2502 start_va = 0x24630000 end_va = 0x2466ffff entry_point = 0x0 region_type = private name = "private_0x0000000024630000" filename = "" Region: id = 2503 start_va = 0x24670000 end_va = 0x2476ffff entry_point = 0x0 region_type = private name = "private_0x0000000024670000" filename = "" Region: id = 2504 start_va = 0x24770000 end_va = 0x247affff entry_point = 0x0 region_type = private name = "private_0x0000000024770000" filename = "" Region: id = 2505 start_va = 0x247b0000 end_va = 0x248affff entry_point = 0x0 region_type = private name = "private_0x00000000247b0000" filename = "" Region: id = 2506 start_va = 0x248b0000 end_va = 0x248effff entry_point = 0x0 region_type = private name = "private_0x00000000248b0000" filename = "" Region: id = 2507 start_va = 0x248f0000 end_va = 0x249effff entry_point = 0x0 region_type = private name = "private_0x00000000248f0000" filename = "" Region: id = 2508 start_va = 0x7fa06000 end_va = 0x7fa08fff entry_point = 0x0 region_type = private name = "private_0x000000007fa06000" filename = "" Region: id = 2509 start_va = 0x7fa09000 end_va = 0x7fa0bfff entry_point = 0x0 region_type = private name = "private_0x000000007fa09000" filename = "" Region: id = 2510 start_va = 0x7fa0c000 end_va = 0x7fa0efff entry_point = 0x0 region_type = private name = "private_0x000000007fa0c000" filename = "" Region: id = 2511 start_va = 0x249f0000 end_va = 0x24a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000249f0000" filename = "" Region: id = 2512 start_va = 0x24a30000 end_va = 0x24b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000024a30000" filename = "" Region: id = 2513 start_va = 0x7fa03000 end_va = 0x7fa05fff entry_point = 0x0 region_type = private name = "private_0x000000007fa03000" filename = "" Region: id = 2514 start_va = 0x24b30000 end_va = 0x24b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000024b30000" filename = "" Region: id = 2515 start_va = 0x24b70000 end_va = 0x24c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000024b70000" filename = "" Region: id = 2516 start_va = 0x7fa00000 end_va = 0x7fa02fff entry_point = 0x0 region_type = private name = "private_0x000000007fa00000" filename = "" Region: id = 2517 start_va = 0x24c70000 end_va = 0x24caffff entry_point = 0x0 region_type = private name = "private_0x0000000024c70000" filename = "" Region: id = 2518 start_va = 0x24cb0000 end_va = 0x24daffff entry_point = 0x0 region_type = private name = "private_0x0000000024cb0000" filename = "" Region: id = 2519 start_va = 0x7f9fd000 end_va = 0x7f9fffff entry_point = 0x0 region_type = private name = "private_0x000000007f9fd000" filename = "" Region: id = 2520 start_va = 0x24db0000 end_va = 0x24deffff entry_point = 0x0 region_type = private name = "private_0x0000000024db0000" filename = "" Region: id = 2521 start_va = 0x24df0000 end_va = 0x24eeffff entry_point = 0x0 region_type = private name = "private_0x0000000024df0000" filename = "" Region: id = 2522 start_va = 0x7f9fa000 end_va = 0x7f9fcfff entry_point = 0x0 region_type = private name = "private_0x000000007f9fa000" filename = "" Region: id = 2523 start_va = 0x24ef0000 end_va = 0x24f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000024ef0000" filename = "" Region: id = 2524 start_va = 0x24f30000 end_va = 0x2502ffff entry_point = 0x0 region_type = private name = "private_0x0000000024f30000" filename = "" Region: id = 2525 start_va = 0x7f9f7000 end_va = 0x7f9f9fff entry_point = 0x0 region_type = private name = "private_0x000000007f9f7000" filename = "" Region: id = 2526 start_va = 0x25030000 end_va = 0x2506ffff entry_point = 0x0 region_type = private name = "private_0x0000000025030000" filename = "" Region: id = 2527 start_va = 0x25070000 end_va = 0x2516ffff entry_point = 0x0 region_type = private name = "private_0x0000000025070000" filename = "" Region: id = 2528 start_va = 0x7f9f4000 end_va = 0x7f9f6fff entry_point = 0x0 region_type = private name = "private_0x000000007f9f4000" filename = "" Region: id = 2529 start_va = 0x25170000 end_va = 0x251affff entry_point = 0x0 region_type = private name = "private_0x0000000025170000" filename = "" Region: id = 2530 start_va = 0x251b0000 end_va = 0x252affff entry_point = 0x0 region_type = private name = "private_0x00000000251b0000" filename = "" Region: id = 2531 start_va = 0x7f9f1000 end_va = 0x7f9f3fff entry_point = 0x0 region_type = private name = "private_0x000000007f9f1000" filename = "" Region: id = 2532 start_va = 0x252b0000 end_va = 0x252effff entry_point = 0x0 region_type = private name = "private_0x00000000252b0000" filename = "" Region: id = 2533 start_va = 0x252f0000 end_va = 0x253effff entry_point = 0x0 region_type = private name = "private_0x00000000252f0000" filename = "" Region: id = 2534 start_va = 0x7f9ee000 end_va = 0x7f9f0fff entry_point = 0x0 region_type = private name = "private_0x000000007f9ee000" filename = "" Region: id = 2535 start_va = 0x253f0000 end_va = 0x2542ffff entry_point = 0x0 region_type = private name = "private_0x00000000253f0000" filename = "" Region: id = 2536 start_va = 0x25430000 end_va = 0x2552ffff entry_point = 0x0 region_type = private name = "private_0x0000000025430000" filename = "" Region: id = 2537 start_va = 0x7f9eb000 end_va = 0x7f9edfff entry_point = 0x0 region_type = private name = "private_0x000000007f9eb000" filename = "" Region: id = 2538 start_va = 0x25530000 end_va = 0x2556ffff entry_point = 0x0 region_type = private name = "private_0x0000000025530000" filename = "" Region: id = 2539 start_va = 0x25570000 end_va = 0x2566ffff entry_point = 0x0 region_type = private name = "private_0x0000000025570000" filename = "" Region: id = 2540 start_va = 0x7f9e8000 end_va = 0x7f9eafff entry_point = 0x0 region_type = private name = "private_0x000000007f9e8000" filename = "" Region: id = 2541 start_va = 0x25670000 end_va = 0x256affff entry_point = 0x0 region_type = private name = "private_0x0000000025670000" filename = "" Region: id = 2542 start_va = 0x256b0000 end_va = 0x257affff entry_point = 0x0 region_type = private name = "private_0x00000000256b0000" filename = "" Region: id = 2543 start_va = 0x7f9e5000 end_va = 0x7f9e7fff entry_point = 0x0 region_type = private name = "private_0x000000007f9e5000" filename = "" Region: id = 2544 start_va = 0x257b0000 end_va = 0x257effff entry_point = 0x0 region_type = private name = "private_0x00000000257b0000" filename = "" Region: id = 2545 start_va = 0x257f0000 end_va = 0x258effff entry_point = 0x0 region_type = private name = "private_0x00000000257f0000" filename = "" Region: id = 2546 start_va = 0x258f0000 end_va = 0x2592ffff entry_point = 0x0 region_type = private name = "private_0x00000000258f0000" filename = "" Region: id = 2547 start_va = 0x25930000 end_va = 0x25a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000025930000" filename = "" Region: id = 2548 start_va = 0x7f9df000 end_va = 0x7f9e1fff entry_point = 0x0 region_type = private name = "private_0x000000007f9df000" filename = "" Region: id = 2549 start_va = 0x7f9e2000 end_va = 0x7f9e4fff entry_point = 0x0 region_type = private name = "private_0x000000007f9e2000" filename = "" Region: id = 2550 start_va = 0x25a30000 end_va = 0x25a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000025a30000" filename = "" Region: id = 2551 start_va = 0x25a70000 end_va = 0x25b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000025a70000" filename = "" Region: id = 2552 start_va = 0x7f9dc000 end_va = 0x7f9defff entry_point = 0x0 region_type = private name = "private_0x000000007f9dc000" filename = "" Region: id = 2553 start_va = 0x25b70000 end_va = 0x25baffff entry_point = 0x0 region_type = private name = "private_0x0000000025b70000" filename = "" Region: id = 2554 start_va = 0x25bb0000 end_va = 0x25caffff entry_point = 0x0 region_type = private name = "private_0x0000000025bb0000" filename = "" Region: id = 2555 start_va = 0x7f9d9000 end_va = 0x7f9dbfff entry_point = 0x0 region_type = private name = "private_0x000000007f9d9000" filename = "" Region: id = 2556 start_va = 0x25cb0000 end_va = 0x25ceffff entry_point = 0x0 region_type = private name = "private_0x0000000025cb0000" filename = "" Region: id = 2557 start_va = 0x25cf0000 end_va = 0x25deffff entry_point = 0x0 region_type = private name = "private_0x0000000025cf0000" filename = "" Region: id = 2558 start_va = 0x7f9d6000 end_va = 0x7f9d8fff entry_point = 0x0 region_type = private name = "private_0x000000007f9d6000" filename = "" Region: id = 2559 start_va = 0x25df0000 end_va = 0x25e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000025df0000" filename = "" Region: id = 2560 start_va = 0x25e30000 end_va = 0x25f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000025e30000" filename = "" Region: id = 2561 start_va = 0x7f9d3000 end_va = 0x7f9d5fff entry_point = 0x0 region_type = private name = "private_0x000000007f9d3000" filename = "" Region: id = 2562 start_va = 0x25f30000 end_va = 0x25f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000025f30000" filename = "" Region: id = 2563 start_va = 0x25f70000 end_va = 0x2606ffff entry_point = 0x0 region_type = private name = "private_0x0000000025f70000" filename = "" Region: id = 2564 start_va = 0x7f9d0000 end_va = 0x7f9d2fff entry_point = 0x0 region_type = private name = "private_0x000000007f9d0000" filename = "" Region: id = 2565 start_va = 0x26070000 end_va = 0x260affff entry_point = 0x0 region_type = private name = "private_0x0000000026070000" filename = "" Region: id = 2566 start_va = 0x260b0000 end_va = 0x261affff entry_point = 0x0 region_type = private name = "private_0x00000000260b0000" filename = "" Region: id = 2567 start_va = 0x7f9cd000 end_va = 0x7f9cffff entry_point = 0x0 region_type = private name = "private_0x000000007f9cd000" filename = "" Region: id = 2568 start_va = 0x261b0000 end_va = 0x261effff entry_point = 0x0 region_type = private name = "private_0x00000000261b0000" filename = "" Region: id = 2569 start_va = 0x261f0000 end_va = 0x262effff entry_point = 0x0 region_type = private name = "private_0x00000000261f0000" filename = "" Region: id = 2570 start_va = 0x262f0000 end_va = 0x2632ffff entry_point = 0x0 region_type = private name = "private_0x00000000262f0000" filename = "" Region: id = 2571 start_va = 0x26330000 end_va = 0x2642ffff entry_point = 0x0 region_type = private name = "private_0x0000000026330000" filename = "" Region: id = 2572 start_va = 0x7f9c7000 end_va = 0x7f9c9fff entry_point = 0x0 region_type = private name = "private_0x000000007f9c7000" filename = "" Region: id = 2573 start_va = 0x7f9ca000 end_va = 0x7f9ccfff entry_point = 0x0 region_type = private name = "private_0x000000007f9ca000" filename = "" Region: id = 2574 start_va = 0x26430000 end_va = 0x2646ffff entry_point = 0x0 region_type = private name = "private_0x0000000026430000" filename = "" Region: id = 2575 start_va = 0x26470000 end_va = 0x2656ffff entry_point = 0x0 region_type = private name = "private_0x0000000026470000" filename = "" Region: id = 2576 start_va = 0x7f9c4000 end_va = 0x7f9c6fff entry_point = 0x0 region_type = private name = "private_0x000000007f9c4000" filename = "" Region: id = 2577 start_va = 0x26570000 end_va = 0x265affff entry_point = 0x0 region_type = private name = "private_0x0000000026570000" filename = "" Region: id = 2578 start_va = 0x265b0000 end_va = 0x266affff entry_point = 0x0 region_type = private name = "private_0x00000000265b0000" filename = "" Region: id = 2579 start_va = 0x266b0000 end_va = 0x266effff entry_point = 0x0 region_type = private name = "private_0x00000000266b0000" filename = "" Region: id = 2580 start_va = 0x266f0000 end_va = 0x267effff entry_point = 0x0 region_type = private name = "private_0x00000000266f0000" filename = "" Region: id = 2581 start_va = 0x267f0000 end_va = 0x2682ffff entry_point = 0x0 region_type = private name = "private_0x00000000267f0000" filename = "" Region: id = 2582 start_va = 0x26830000 end_va = 0x2692ffff entry_point = 0x0 region_type = private name = "private_0x0000000026830000" filename = "" Region: id = 2583 start_va = 0x26930000 end_va = 0x2696ffff entry_point = 0x0 region_type = private name = "private_0x0000000026930000" filename = "" Region: id = 2584 start_va = 0x26970000 end_va = 0x26a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000026970000" filename = "" Region: id = 2585 start_va = 0x7f9b8000 end_va = 0x7f9bafff entry_point = 0x0 region_type = private name = "private_0x000000007f9b8000" filename = "" Region: id = 2586 start_va = 0x7f9bb000 end_va = 0x7f9bdfff entry_point = 0x0 region_type = private name = "private_0x000000007f9bb000" filename = "" Region: id = 2587 start_va = 0x7f9be000 end_va = 0x7f9c0fff entry_point = 0x0 region_type = private name = "private_0x000000007f9be000" filename = "" Region: id = 2588 start_va = 0x7f9c1000 end_va = 0x7f9c3fff entry_point = 0x0 region_type = private name = "private_0x000000007f9c1000" filename = "" Region: id = 2589 start_va = 0x26a70000 end_va = 0x26aaffff entry_point = 0x0 region_type = private name = "private_0x0000000026a70000" filename = "" Region: id = 2590 start_va = 0x26ab0000 end_va = 0x26baffff entry_point = 0x0 region_type = private name = "private_0x0000000026ab0000" filename = "" Region: id = 2591 start_va = 0x26bb0000 end_va = 0x26beffff entry_point = 0x0 region_type = private name = "private_0x0000000026bb0000" filename = "" Region: id = 2592 start_va = 0x26bf0000 end_va = 0x26ceffff entry_point = 0x0 region_type = private name = "private_0x0000000026bf0000" filename = "" Region: id = 2593 start_va = 0x7f9b2000 end_va = 0x7f9b4fff entry_point = 0x0 region_type = private name = "private_0x000000007f9b2000" filename = "" Region: id = 2594 start_va = 0x7f9b5000 end_va = 0x7f9b7fff entry_point = 0x0 region_type = private name = "private_0x000000007f9b5000" filename = "" Region: id = 2595 start_va = 0x26cf0000 end_va = 0x26d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000026cf0000" filename = "" Region: id = 2596 start_va = 0x26d30000 end_va = 0x26e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000026d30000" filename = "" Region: id = 2597 start_va = 0x7f9af000 end_va = 0x7f9b1fff entry_point = 0x0 region_type = private name = "private_0x000000007f9af000" filename = "" Region: id = 2598 start_va = 0x26e30000 end_va = 0x26e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000026e30000" filename = "" Region: id = 2599 start_va = 0x26e70000 end_va = 0x26f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000026e70000" filename = "" Region: id = 2600 start_va = 0x7f9ac000 end_va = 0x7f9aefff entry_point = 0x0 region_type = private name = "private_0x000000007f9ac000" filename = "" Region: id = 2601 start_va = 0x11b60000 end_va = 0x11b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000011b60000" filename = "" Region: id = 2602 start_va = 0x26f70000 end_va = 0x26faffff entry_point = 0x0 region_type = private name = "private_0x0000000026f70000" filename = "" Region: id = 2603 start_va = 0x26fb0000 end_va = 0x270affff entry_point = 0x0 region_type = private name = "private_0x0000000026fb0000" filename = "" Region: id = 2604 start_va = 0x270b0000 end_va = 0x270effff entry_point = 0x0 region_type = private name = "private_0x00000000270b0000" filename = "" Region: id = 2605 start_va = 0x270f0000 end_va = 0x271effff entry_point = 0x0 region_type = private name = "private_0x00000000270f0000" filename = "" Region: id = 2606 start_va = 0x271f0000 end_va = 0x2722ffff entry_point = 0x0 region_type = private name = "private_0x00000000271f0000" filename = "" Region: id = 2607 start_va = 0x27230000 end_va = 0x2732ffff entry_point = 0x0 region_type = private name = "private_0x0000000027230000" filename = "" Region: id = 2608 start_va = 0x27330000 end_va = 0x2736ffff entry_point = 0x0 region_type = private name = "private_0x0000000027330000" filename = "" Region: id = 2609 start_va = 0x27370000 end_va = 0x2746ffff entry_point = 0x0 region_type = private name = "private_0x0000000027370000" filename = "" Region: id = 2610 start_va = 0x27470000 end_va = 0x274affff entry_point = 0x0 region_type = private name = "private_0x0000000027470000" filename = "" Region: id = 2611 start_va = 0x274b0000 end_va = 0x275affff entry_point = 0x0 region_type = private name = "private_0x00000000274b0000" filename = "" Region: id = 2612 start_va = 0x275b0000 end_va = 0x276affff entry_point = 0x0 region_type = private name = "private_0x00000000275b0000" filename = "" Region: id = 2613 start_va = 0x276b0000 end_va = 0x276effff entry_point = 0x0 region_type = private name = "private_0x00000000276b0000" filename = "" Region: id = 2614 start_va = 0x276f0000 end_va = 0x277effff entry_point = 0x0 region_type = private name = "private_0x00000000276f0000" filename = "" Region: id = 2615 start_va = 0x277f0000 end_va = 0x2782ffff entry_point = 0x0 region_type = private name = "private_0x00000000277f0000" filename = "" Region: id = 2616 start_va = 0x27830000 end_va = 0x2792ffff entry_point = 0x0 region_type = private name = "private_0x0000000027830000" filename = "" Region: id = 2617 start_va = 0x27930000 end_va = 0x2796ffff entry_point = 0x0 region_type = private name = "private_0x0000000027930000" filename = "" Region: id = 2618 start_va = 0x27970000 end_va = 0x27a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000027970000" filename = "" Region: id = 2619 start_va = 0x7f991000 end_va = 0x7f993fff entry_point = 0x0 region_type = private name = "private_0x000000007f991000" filename = "" Region: id = 2620 start_va = 0x7f994000 end_va = 0x7f996fff entry_point = 0x0 region_type = private name = "private_0x000000007f994000" filename = "" Region: id = 2621 start_va = 0x7f997000 end_va = 0x7f999fff entry_point = 0x0 region_type = private name = "private_0x000000007f997000" filename = "" Region: id = 2622 start_va = 0x7f99a000 end_va = 0x7f99cfff entry_point = 0x0 region_type = private name = "private_0x000000007f99a000" filename = "" Region: id = 2623 start_va = 0x7f99d000 end_va = 0x7f99ffff entry_point = 0x0 region_type = private name = "private_0x000000007f99d000" filename = "" Region: id = 2624 start_va = 0x7f9a0000 end_va = 0x7f9a2fff entry_point = 0x0 region_type = private name = "private_0x000000007f9a0000" filename = "" Region: id = 2625 start_va = 0x7f9a3000 end_va = 0x7f9a5fff entry_point = 0x0 region_type = private name = "private_0x000000007f9a3000" filename = "" Region: id = 2626 start_va = 0x7f9a6000 end_va = 0x7f9a8fff entry_point = 0x0 region_type = private name = "private_0x000000007f9a6000" filename = "" Region: id = 2627 start_va = 0x7f9a9000 end_va = 0x7f9abfff entry_point = 0x0 region_type = private name = "private_0x000000007f9a9000" filename = "" Region: id = 2628 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2629 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2630 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2631 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2632 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2633 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2634 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2635 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2636 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2637 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2638 start_va = 0x63d0000 end_va = 0x640ffff entry_point = 0x0 region_type = private name = "private_0x00000000063d0000" filename = "" Region: id = 2639 start_va = 0x27a70000 end_va = 0x27b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000027a70000" filename = "" Region: id = 2640 start_va = 0x74360000 end_va = 0x7436ffff entry_point = 0x74360000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 2641 start_va = 0x7f98e000 end_va = 0x7f990fff entry_point = 0x0 region_type = private name = "private_0x000000007f98e000" filename = "" Region: id = 2642 start_va = 0x6410000 end_va = 0x644ffff entry_point = 0x0 region_type = private name = "private_0x0000000006410000" filename = "" Region: id = 2643 start_va = 0x6450000 end_va = 0x648ffff entry_point = 0x0 region_type = private name = "private_0x0000000006450000" filename = "" Region: id = 2644 start_va = 0x27b70000 end_va = 0x27c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000027b70000" filename = "" Region: id = 2645 start_va = 0x27c70000 end_va = 0x27d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000027c70000" filename = "" Region: id = 2646 start_va = 0x7f988000 end_va = 0x7f98afff entry_point = 0x0 region_type = private name = "private_0x000000007f988000" filename = "" Region: id = 2647 start_va = 0x7f98b000 end_va = 0x7f98dfff entry_point = 0x0 region_type = private name = "private_0x000000007f98b000" filename = "" Region: id = 2648 start_va = 0x31d0000 end_va = 0x31d0fff entry_point = 0x31d0000 region_type = mapped_file name = "deploymentconfig.1.xml id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml id-br3n0g72wub8cejt.lyas") Region: id = 2649 start_va = 0x6490000 end_va = 0x64cffff entry_point = 0x0 region_type = private name = "private_0x0000000006490000" filename = "" Region: id = 2650 start_va = 0x27d70000 end_va = 0x27e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000027d70000" filename = "" Region: id = 2651 start_va = 0x27e70000 end_va = 0x27eaffff entry_point = 0x0 region_type = private name = "private_0x0000000027e70000" filename = "" Region: id = 2652 start_va = 0x27eb0000 end_va = 0x27faffff entry_point = 0x0 region_type = private name = "private_0x0000000027eb0000" filename = "" Region: id = 2653 start_va = 0x7f982000 end_va = 0x7f984fff entry_point = 0x0 region_type = private name = "private_0x000000007f982000" filename = "" Region: id = 2654 start_va = 0x7f985000 end_va = 0x7f987fff entry_point = 0x0 region_type = private name = "private_0x000000007f985000" filename = "" Region: id = 2655 start_va = 0x27fb0000 end_va = 0x27feffff entry_point = 0x0 region_type = private name = "private_0x0000000027fb0000" filename = "" Region: id = 2656 start_va = 0x27ff0000 end_va = 0x280effff entry_point = 0x0 region_type = private name = "private_0x0000000027ff0000" filename = "" Region: id = 2657 start_va = 0x7f97f000 end_va = 0x7f981fff entry_point = 0x0 region_type = private name = "private_0x000000007f97f000" filename = "" Region: id = 2658 start_va = 0x280f0000 end_va = 0x281effff entry_point = 0x280f0000 region_type = mapped_file name = "baseimagefam8 id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\baseimagefam8 id-br3n0g72wub8cejt.lyas") Region: id = 2659 start_va = 0x31d0000 end_va = 0x31d0fff entry_point = 0x31d0000 region_type = mapped_file name = "deploymentconfig.2.xml id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml id-br3n0g72wub8cejt.lyas") Region: id = 2660 start_va = 0x281f0000 end_va = 0x282b3fff entry_point = 0x281f0000 region_type = mapped_file name = "msdia100.dll id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll id-br3n0g72wub8cejt.lyas") Region: id = 2661 start_va = 0x31e0000 end_va = 0x31e0fff entry_point = 0x31e0000 region_type = mapped_file name = "6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-br3n0g72wub8cejt.lyas") Region: id = 2662 start_va = 0x31f0000 end_va = 0x31f0fff entry_point = 0x31f0000 region_type = mapped_file name = "bing.url id-br3n0g72wub8cejt.lyas" filename = "\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url id-br3n0g72wub8cejt.lyas") Region: id = 2663 start_va = 0x31f0000 end_va = 0x31f5fff entry_point = 0x31f0000 region_type = mapped_file name = "ppcrlconfig600.dll id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll id-br3n0g72wub8cejt.lyas") Region: id = 2664 start_va = 0x280f0000 end_va = 0x2812ffff entry_point = 0x0 region_type = private name = "private_0x00000000280f0000" filename = "" Region: id = 2665 start_va = 0x282c0000 end_va = 0x283bffff entry_point = 0x0 region_type = private name = "private_0x00000000282c0000" filename = "" Region: id = 2666 start_va = 0x7f97c000 end_va = 0x7f97efff entry_point = 0x0 region_type = private name = "private_0x000000007f97c000" filename = "" Region: id = 2667 start_va = 0x4dc0000 end_va = 0x4dc0fff entry_point = 0x4dc0000 region_type = mapped_file name = "desktop.ini id-br3n0g72wub8cejt.lyas" filename = "\\Users\\Public\\AccountPictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini id-br3n0g72wub8cejt.lyas") Region: id = 2668 start_va = 0x4dc0000 end_va = 0x4dc1fff entry_point = 0x4dc0000 region_type = mapped_file name = "wlive48x48.png id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\windows live\\wlive48x48.png id-br3n0g72wub8cejt.lyas") Region: id = 2669 start_va = 0x4dd0000 end_va = 0x4dd0fff entry_point = 0x4dd0000 region_type = mapped_file name = "17dfc292991c7c24.timestamp id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-br3n0g72wub8cejt.lyas") Region: id = 2670 start_va = 0x4dc0000 end_va = 0x4dd8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004dc0000" filename = "" Region: id = 2671 start_va = 0x4dc0000 end_va = 0x4dc9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004dc0000" filename = "" Region: id = 2672 start_va = 0x28130000 end_va = 0x28186fff entry_point = 0x28130000 region_type = mapped_file name = "database1.accdb id-br3n0g72wub8cejt.lyas" filename = "\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb id-br3n0g72wub8cejt.lyas") Region: id = 2673 start_va = 0x4dc0000 end_va = 0x4dc0fff entry_point = 0x4dc0000 region_type = mapped_file name = "everywhere.search-ms id-br3n0g72wub8cejt.lyas" filename = "\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\everywhere.search-ms id-br3n0g72wub8cejt.lyas") Region: id = 2674 start_va = 0x4dc0000 end_va = 0x4dd2fff entry_point = 0x4dc0000 region_type = mapped_file name = "slightly.exe" filename = "\\Program Files (x86)\\Windows Portable Devices\\slightly.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\slightly.exe") Region: id = 2675 start_va = 0x28190000 end_va = 0x281cffff entry_point = 0x0 region_type = private name = "private_0x0000000028190000" filename = "" Region: id = 2676 start_va = 0x283c0000 end_va = 0x284bffff entry_point = 0x0 region_type = private name = "private_0x00000000283c0000" filename = "" Region: id = 2677 start_va = 0x284c0000 end_va = 0x284fffff entry_point = 0x0 region_type = private name = "private_0x00000000284c0000" filename = "" Region: id = 2678 start_va = 0x28500000 end_va = 0x285fffff entry_point = 0x0 region_type = private name = "private_0x0000000028500000" filename = "" Region: id = 2679 start_va = 0x28600000 end_va = 0x2863ffff entry_point = 0x0 region_type = private name = "private_0x0000000028600000" filename = "" Region: id = 2680 start_va = 0x28640000 end_va = 0x2873ffff entry_point = 0x0 region_type = private name = "private_0x0000000028640000" filename = "" Region: id = 2681 start_va = 0x28740000 end_va = 0x2877ffff entry_point = 0x0 region_type = private name = "private_0x0000000028740000" filename = "" Region: id = 2682 start_va = 0x28780000 end_va = 0x2887ffff entry_point = 0x0 region_type = private name = "private_0x0000000028780000" filename = "" Region: id = 2683 start_va = 0x28880000 end_va = 0x288bffff entry_point = 0x0 region_type = private name = "private_0x0000000028880000" filename = "" Region: id = 2684 start_va = 0x288c0000 end_va = 0x289bffff entry_point = 0x0 region_type = private name = "private_0x00000000288c0000" filename = "" Region: id = 2685 start_va = 0x289c0000 end_va = 0x289fffff entry_point = 0x0 region_type = private name = "private_0x00000000289c0000" filename = "" Region: id = 2686 start_va = 0x28a00000 end_va = 0x28afffff entry_point = 0x0 region_type = private name = "private_0x0000000028a00000" filename = "" Region: id = 2687 start_va = 0x7f96a000 end_va = 0x7f96cfff entry_point = 0x0 region_type = private name = "private_0x000000007f96a000" filename = "" Region: id = 2688 start_va = 0x7f96d000 end_va = 0x7f96ffff entry_point = 0x0 region_type = private name = "private_0x000000007f96d000" filename = "" Region: id = 2689 start_va = 0x7f970000 end_va = 0x7f972fff entry_point = 0x0 region_type = private name = "private_0x000000007f970000" filename = "" Region: id = 2690 start_va = 0x7f973000 end_va = 0x7f975fff entry_point = 0x0 region_type = private name = "private_0x000000007f973000" filename = "" Region: id = 2691 start_va = 0x7f976000 end_va = 0x7f978fff entry_point = 0x0 region_type = private name = "private_0x000000007f976000" filename = "" Region: id = 2692 start_va = 0x7f979000 end_va = 0x7f97bfff entry_point = 0x0 region_type = private name = "private_0x000000007f979000" filename = "" Region: id = 2693 start_va = 0x28b00000 end_va = 0x28b7dfff entry_point = 0x28b00000 region_type = mapped_file name = "ntuser.dat.log2 id-br3n0g72wub8cejt.lyas" filename = "\\Users\\Default\\NTUSER.DAT.LOG2 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat.log2 id-br3n0g72wub8cejt.lyas") Region: id = 2694 start_va = 0x4dc0000 end_va = 0x4dc0fff entry_point = 0x4dc0000 region_type = mapped_file name = "indexed locations.search-ms id-br3n0g72wub8cejt.lyas" filename = "\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\indexed locations.search-ms id-br3n0g72wub8cejt.lyas") Region: id = 2695 start_va = 0x4dc0000 end_va = 0x4dd5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004dc0000" filename = "" Region: id = 2696 start_va = 0x4dc0000 end_va = 0x4dd4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004dc0000" filename = "" Region: id = 2697 start_va = 0x4dc0000 end_va = 0x4dc0fff entry_point = 0x4dc0000 region_type = mapped_file name = "asdlfk poopvy.contact id-br3n0g72wub8cejt.lyas" filename = "\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact id-br3n0g72wub8cejt.lyas") Region: id = 2698 start_va = 0x4dd0000 end_va = 0x4dd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004dd0000" filename = "" Region: id = 2699 start_va = 0x4dd0000 end_va = 0x4de3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004dd0000" filename = "" Region: id = 2700 start_va = 0x4dd0000 end_va = 0x4dd3fff entry_point = 0x4dd0000 region_type = mapped_file name = "updatesessionorchestration.005.etl id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl id-br3n0g72wub8cejt.lyas") Region: id = 2701 start_va = 0x4e30000 end_va = 0x4e41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e30000" filename = "" Region: id = 2702 start_va = 0x4e30000 end_va = 0x4e44fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e30000" filename = "" Region: id = 2703 start_va = 0x4e30000 end_va = 0x4e40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e30000" filename = "" Region: id = 2704 start_va = 0x4de0000 end_va = 0x4deffff entry_point = 0x4de0000 region_type = mapped_file name = "thirdpartylicensereadme-javafx.txt id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme-javafx.txt id-br3n0g72wub8cejt.lyas") Region: id = 2705 start_va = 0x4dd0000 end_va = 0x4dd0fff entry_point = 0x4dd0000 region_type = mapped_file name = "install.ins id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Internet Explorer\\SIGNUP\\install.ins id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins id-br3n0g72wub8cejt.lyas") Region: id = 2706 start_va = 0x28b80000 end_va = 0x28bbffff entry_point = 0x0 region_type = private name = "private_0x0000000028b80000" filename = "" Region: id = 2707 start_va = 0x28bc0000 end_va = 0x28cbffff entry_point = 0x0 region_type = private name = "private_0x0000000028bc0000" filename = "" Region: id = 2708 start_va = 0x28cc0000 end_va = 0x28cebfff entry_point = 0x28cc0000 region_type = mapped_file name = "thirdpartylicensereadme.txt id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme.txt id-br3n0g72wub8cejt.lyas") Region: id = 2709 start_va = 0x7f967000 end_va = 0x7f969fff entry_point = 0x0 region_type = private name = "private_0x000000007f967000" filename = "" Region: id = 2710 start_va = 0x28cf0000 end_va = 0x28d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000028cf0000" filename = "" Region: id = 2711 start_va = 0x28d30000 end_va = 0x28e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000028d30000" filename = "" Region: id = 2712 start_va = 0x28e30000 end_va = 0x28e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000028e30000" filename = "" Region: id = 2713 start_va = 0x28e70000 end_va = 0x28f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000028e70000" filename = "" Region: id = 2714 start_va = 0x28f70000 end_va = 0x28faffff entry_point = 0x0 region_type = private name = "private_0x0000000028f70000" filename = "" Region: id = 2715 start_va = 0x28fb0000 end_va = 0x290affff entry_point = 0x0 region_type = private name = "private_0x0000000028fb0000" filename = "" Region: id = 2716 start_va = 0x290b0000 end_va = 0x290effff entry_point = 0x0 region_type = private name = "private_0x00000000290b0000" filename = "" Region: id = 2717 start_va = 0x290f0000 end_va = 0x291effff entry_point = 0x0 region_type = private name = "private_0x00000000290f0000" filename = "" Region: id = 2718 start_va = 0x291f0000 end_va = 0x2922ffff entry_point = 0x0 region_type = private name = "private_0x00000000291f0000" filename = "" Region: id = 2719 start_va = 0x29230000 end_va = 0x2932ffff entry_point = 0x0 region_type = private name = "private_0x0000000029230000" filename = "" Region: id = 2720 start_va = 0x29330000 end_va = 0x2936ffff entry_point = 0x0 region_type = private name = "private_0x0000000029330000" filename = "" Region: id = 2721 start_va = 0x29370000 end_va = 0x2946ffff entry_point = 0x0 region_type = private name = "private_0x0000000029370000" filename = "" Region: id = 2722 start_va = 0x7f955000 end_va = 0x7f957fff entry_point = 0x0 region_type = private name = "private_0x000000007f955000" filename = "" Region: id = 2723 start_va = 0x7f958000 end_va = 0x7f95afff entry_point = 0x0 region_type = private name = "private_0x000000007f958000" filename = "" Region: id = 2724 start_va = 0x7f95b000 end_va = 0x7f95dfff entry_point = 0x0 region_type = private name = "private_0x000000007f95b000" filename = "" Region: id = 2725 start_va = 0x7f95e000 end_va = 0x7f960fff entry_point = 0x0 region_type = private name = "private_0x000000007f95e000" filename = "" Region: id = 2726 start_va = 0x7f961000 end_va = 0x7f963fff entry_point = 0x0 region_type = private name = "private_0x000000007f961000" filename = "" Region: id = 2727 start_va = 0x7f964000 end_va = 0x7f966fff entry_point = 0x0 region_type = private name = "private_0x000000007f964000" filename = "" Region: id = 2728 start_va = 0x29470000 end_va = 0x294affff entry_point = 0x0 region_type = private name = "private_0x0000000029470000" filename = "" Region: id = 2729 start_va = 0x294b0000 end_va = 0x295affff entry_point = 0x0 region_type = private name = "private_0x00000000294b0000" filename = "" Region: id = 2730 start_va = 0x7f952000 end_va = 0x7f954fff entry_point = 0x0 region_type = private name = "private_0x000000007f952000" filename = "" Region: id = 2731 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2732 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2733 start_va = 0x1e1f0000 end_va = 0x1e258fff entry_point = 0x1e1f0000 region_type = mapped_file name = "jaureg.exe id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe id-br3n0g72wub8cejt.lyas") Region: id = 2734 start_va = 0x30c0000 end_va = 0x30cbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2735 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2736 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2737 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2738 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2739 start_va = 0x30c0000 end_va = 0x30c4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 2740 start_va = 0x30c0000 end_va = 0x30c6fff entry_point = 0x30c0000 region_type = mapped_file name = "ppcrlconfig600.dll id-br3n0g72wub8cejt.lyas" filename = "\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll id-br3n0g72wub8cejt.lyas") Region: id = 2741 start_va = 0x31e0000 end_va = 0x31e0fff entry_point = 0x31e0000 region_type = mapped_file name = "desktop.ini id-br3n0g72wub8cejt.lyas" filename = "\\Users\\Public\\Libraries\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\libraries\\desktop.ini id-br3n0g72wub8cejt.lyas") Region: id = 2742 start_va = 0x295b0000 end_va = 0x296a1fff entry_point = 0x295b0000 region_type = mapped_file name = "msdia100.dll id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll id-br3n0g72wub8cejt.lyas") Region: id = 2743 start_va = 0x1de60000 end_va = 0x1deaffff entry_point = 0x1de60000 region_type = mapped_file name = "aiodlite.dll id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\esl\\aiodlite.dll id-br3n0g72wub8cejt.lyas") Region: id = 2744 start_va = 0x31f0000 end_va = 0x31f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031f0000" filename = "" Region: id = 2745 start_va = 0x2ac0000 end_va = 0x2afffff entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 2746 start_va = 0x296b0000 end_va = 0x297affff entry_point = 0x0 region_type = private name = "private_0x00000000296b0000" filename = "" Region: id = 2747 start_va = 0x7f94f000 end_va = 0x7f951fff entry_point = 0x0 region_type = private name = "private_0x000000007f94f000" filename = "" Region: id = 2748 start_va = 0x2b00000 end_va = 0x2b3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 2749 start_va = 0x2b40000 end_va = 0x2b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 2750 start_va = 0x297b0000 end_va = 0x298affff entry_point = 0x0 region_type = private name = "private_0x00000000297b0000" filename = "" Region: id = 2751 start_va = 0x298b0000 end_va = 0x299affff entry_point = 0x0 region_type = private name = "private_0x00000000298b0000" filename = "" Region: id = 2752 start_va = 0x299b0000 end_va = 0x299effff entry_point = 0x0 region_type = private name = "private_0x00000000299b0000" filename = "" Region: id = 2753 start_va = 0x299f0000 end_va = 0x29aeffff entry_point = 0x0 region_type = private name = "private_0x00000000299f0000" filename = "" Region: id = 2754 start_va = 0x29af0000 end_va = 0x29b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000029af0000" filename = "" Region: id = 2755 start_va = 0x29b30000 end_va = 0x29c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000029b30000" filename = "" Region: id = 2756 start_va = 0x7f943000 end_va = 0x7f945fff entry_point = 0x0 region_type = private name = "private_0x000000007f943000" filename = "" Region: id = 2757 start_va = 0x7f946000 end_va = 0x7f948fff entry_point = 0x0 region_type = private name = "private_0x000000007f946000" filename = "" Region: id = 2758 start_va = 0x7f949000 end_va = 0x7f94bfff entry_point = 0x0 region_type = private name = "private_0x000000007f949000" filename = "" Region: id = 2759 start_va = 0x7f94c000 end_va = 0x7f94efff entry_point = 0x0 region_type = private name = "private_0x000000007f94c000" filename = "" Region: id = 2760 start_va = 0x29c30000 end_va = 0x29c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000029c30000" filename = "" Region: id = 2761 start_va = 0x29c70000 end_va = 0x29d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000029c70000" filename = "" Region: id = 2762 start_va = 0x29d70000 end_va = 0x29daffff entry_point = 0x0 region_type = private name = "private_0x0000000029d70000" filename = "" Region: id = 2763 start_va = 0x29db0000 end_va = 0x29eaffff entry_point = 0x0 region_type = private name = "private_0x0000000029db0000" filename = "" Region: id = 2764 start_va = 0x29eb0000 end_va = 0x29eeffff entry_point = 0x0 region_type = private name = "private_0x0000000029eb0000" filename = "" Region: id = 2765 start_va = 0x29ef0000 end_va = 0x29feffff entry_point = 0x0 region_type = private name = "private_0x0000000029ef0000" filename = "" Region: id = 2766 start_va = 0x7f93a000 end_va = 0x7f93cfff entry_point = 0x0 region_type = private name = "private_0x000000007f93a000" filename = "" Region: id = 2767 start_va = 0x7f93d000 end_va = 0x7f93ffff entry_point = 0x0 region_type = private name = "private_0x000000007f93d000" filename = "" Region: id = 2768 start_va = 0x7f940000 end_va = 0x7f942fff entry_point = 0x0 region_type = private name = "private_0x000000007f940000" filename = "" Region: id = 2769 start_va = 0x29ff0000 end_va = 0x2a02ffff entry_point = 0x0 region_type = private name = "private_0x0000000029ff0000" filename = "" Region: id = 2770 start_va = 0x2a030000 end_va = 0x2a12ffff entry_point = 0x0 region_type = private name = "private_0x000000002a030000" filename = "" Region: id = 2771 start_va = 0x7f937000 end_va = 0x7f939fff entry_point = 0x0 region_type = private name = "private_0x000000007f937000" filename = "" Region: id = 2772 start_va = 0x2a130000 end_va = 0x2a16ffff entry_point = 0x0 region_type = private name = "private_0x000000002a130000" filename = "" Region: id = 2773 start_va = 0x2a170000 end_va = 0x2a26ffff entry_point = 0x0 region_type = private name = "private_0x000000002a170000" filename = "" Region: id = 2774 start_va = 0x7f934000 end_va = 0x7f936fff entry_point = 0x0 region_type = private name = "private_0x000000007f934000" filename = "" Region: id = 2775 start_va = 0x2a270000 end_va = 0x2a2affff entry_point = 0x0 region_type = private name = "private_0x000000002a270000" filename = "" Region: id = 2776 start_va = 0x2a2b0000 end_va = 0x2a3affff entry_point = 0x0 region_type = private name = "private_0x000000002a2b0000" filename = "" Region: id = 2777 start_va = 0x7f931000 end_va = 0x7f933fff entry_point = 0x0 region_type = private name = "private_0x000000007f931000" filename = "" Region: id = 2778 start_va = 0x2a3b0000 end_va = 0x2a3effff entry_point = 0x0 region_type = private name = "private_0x000000002a3b0000" filename = "" Region: id = 2779 start_va = 0x2a3f0000 end_va = 0x2a4effff entry_point = 0x0 region_type = private name = "private_0x000000002a3f0000" filename = "" Region: id = 2780 start_va = 0x2a4f0000 end_va = 0x2a52ffff entry_point = 0x0 region_type = private name = "private_0x000000002a4f0000" filename = "" Region: id = 2781 start_va = 0x2a530000 end_va = 0x2a62ffff entry_point = 0x0 region_type = private name = "private_0x000000002a530000" filename = "" Region: id = 2782 start_va = 0x2a630000 end_va = 0x2a66ffff entry_point = 0x0 region_type = private name = "private_0x000000002a630000" filename = "" Region: id = 2783 start_va = 0x2a670000 end_va = 0x2a76ffff entry_point = 0x0 region_type = private name = "private_0x000000002a670000" filename = "" Region: id = 2784 start_va = 0x2a770000 end_va = 0x2a7affff entry_point = 0x0 region_type = private name = "private_0x000000002a770000" filename = "" Region: id = 2785 start_va = 0x2a7b0000 end_va = 0x2a8affff entry_point = 0x0 region_type = private name = "private_0x000000002a7b0000" filename = "" Region: id = 2786 start_va = 0x2a8b0000 end_va = 0x2a8effff entry_point = 0x0 region_type = private name = "private_0x000000002a8b0000" filename = "" Region: id = 2787 start_va = 0x2a8f0000 end_va = 0x2a9effff entry_point = 0x0 region_type = private name = "private_0x000000002a8f0000" filename = "" Region: id = 2788 start_va = 0x2a9f0000 end_va = 0x2aa2ffff entry_point = 0x0 region_type = private name = "private_0x000000002a9f0000" filename = "" Region: id = 2789 start_va = 0x2aa30000 end_va = 0x2ab2ffff entry_point = 0x0 region_type = private name = "private_0x000000002aa30000" filename = "" Region: id = 2790 start_va = 0x7f91f000 end_va = 0x7f921fff entry_point = 0x0 region_type = private name = "private_0x000000007f91f000" filename = "" Region: id = 2791 start_va = 0x7f922000 end_va = 0x7f924fff entry_point = 0x0 region_type = private name = "private_0x000000007f922000" filename = "" Region: id = 2792 start_va = 0x7f925000 end_va = 0x7f927fff entry_point = 0x0 region_type = private name = "private_0x000000007f925000" filename = "" Region: id = 2793 start_va = 0x7f928000 end_va = 0x7f92afff entry_point = 0x0 region_type = private name = "private_0x000000007f928000" filename = "" Region: id = 2794 start_va = 0x7f92b000 end_va = 0x7f92dfff entry_point = 0x0 region_type = private name = "private_0x000000007f92b000" filename = "" Region: id = 2795 start_va = 0x7f92e000 end_va = 0x7f930fff entry_point = 0x0 region_type = private name = "private_0x000000007f92e000" filename = "" Region: id = 2796 start_va = 0x2ab30000 end_va = 0x2ab6ffff entry_point = 0x0 region_type = private name = "private_0x000000002ab30000" filename = "" Region: id = 2797 start_va = 0x2ab70000 end_va = 0x2ac6ffff entry_point = 0x0 region_type = private name = "private_0x000000002ab70000" filename = "" Region: id = 2798 start_va = 0x7f91c000 end_va = 0x7f91efff entry_point = 0x0 region_type = private name = "private_0x000000007f91c000" filename = "" Region: id = 2799 start_va = 0x2ac70000 end_va = 0x2acaffff entry_point = 0x0 region_type = private name = "private_0x000000002ac70000" filename = "" Region: id = 2800 start_va = 0x2acb0000 end_va = 0x2adaffff entry_point = 0x0 region_type = private name = "private_0x000000002acb0000" filename = "" Region: id = 2801 start_va = 0x7f919000 end_va = 0x7f91bfff entry_point = 0x0 region_type = private name = "private_0x000000007f919000" filename = "" Region: id = 2802 start_va = 0x2adb0000 end_va = 0x2adeffff entry_point = 0x0 region_type = private name = "private_0x000000002adb0000" filename = "" Region: id = 2803 start_va = 0x2adf0000 end_va = 0x2aeeffff entry_point = 0x0 region_type = private name = "private_0x000000002adf0000" filename = "" Region: id = 2804 start_va = 0x2aef0000 end_va = 0x2af2ffff entry_point = 0x0 region_type = private name = "private_0x000000002aef0000" filename = "" Region: id = 2805 start_va = 0x2af30000 end_va = 0x2b02ffff entry_point = 0x0 region_type = private name = "private_0x000000002af30000" filename = "" Region: id = 2806 start_va = 0x2b030000 end_va = 0x2b06ffff entry_point = 0x0 region_type = private name = "private_0x000000002b030000" filename = "" Region: id = 2807 start_va = 0x2b070000 end_va = 0x2b16ffff entry_point = 0x0 region_type = private name = "private_0x000000002b070000" filename = "" Region: id = 2808 start_va = 0x2b170000 end_va = 0x2b1affff entry_point = 0x0 region_type = private name = "private_0x000000002b170000" filename = "" Region: id = 2809 start_va = 0x2b1b0000 end_va = 0x2b2affff entry_point = 0x0 region_type = private name = "private_0x000000002b1b0000" filename = "" Region: id = 2810 start_va = 0x2b2b0000 end_va = 0x2b2effff entry_point = 0x0 region_type = private name = "private_0x000000002b2b0000" filename = "" Region: id = 2811 start_va = 0x2b2f0000 end_va = 0x2b3effff entry_point = 0x0 region_type = private name = "private_0x000000002b2f0000" filename = "" Region: id = 2812 start_va = 0x2b3f0000 end_va = 0x2b42ffff entry_point = 0x0 region_type = private name = "private_0x000000002b3f0000" filename = "" Region: id = 2813 start_va = 0x2b430000 end_va = 0x2b52ffff entry_point = 0x0 region_type = private name = "private_0x000000002b430000" filename = "" Region: id = 2814 start_va = 0x7f907000 end_va = 0x7f909fff entry_point = 0x0 region_type = private name = "private_0x000000007f907000" filename = "" Region: id = 2815 start_va = 0x7f90a000 end_va = 0x7f90cfff entry_point = 0x0 region_type = private name = "private_0x000000007f90a000" filename = "" Region: id = 2816 start_va = 0x7f90d000 end_va = 0x7f90ffff entry_point = 0x0 region_type = private name = "private_0x000000007f90d000" filename = "" Region: id = 2817 start_va = 0x7f910000 end_va = 0x7f912fff entry_point = 0x0 region_type = private name = "private_0x000000007f910000" filename = "" Region: id = 2818 start_va = 0x7f913000 end_va = 0x7f915fff entry_point = 0x0 region_type = private name = "private_0x000000007f913000" filename = "" Region: id = 2819 start_va = 0x7f916000 end_va = 0x7f918fff entry_point = 0x0 region_type = private name = "private_0x000000007f916000" filename = "" Region: id = 2820 start_va = 0x2b530000 end_va = 0x2b56ffff entry_point = 0x0 region_type = private name = "private_0x000000002b530000" filename = "" Region: id = 2821 start_va = 0x2b570000 end_va = 0x2b66ffff entry_point = 0x0 region_type = private name = "private_0x000000002b570000" filename = "" Region: id = 2822 start_va = 0x2b670000 end_va = 0x2b6affff entry_point = 0x0 region_type = private name = "private_0x000000002b670000" filename = "" Region: id = 2823 start_va = 0x2b6b0000 end_va = 0x2b7affff entry_point = 0x0 region_type = private name = "private_0x000000002b6b0000" filename = "" Region: id = 2824 start_va = 0x7f901000 end_va = 0x7f903fff entry_point = 0x0 region_type = private name = "private_0x000000007f901000" filename = "" Region: id = 2825 start_va = 0x7f904000 end_va = 0x7f906fff entry_point = 0x0 region_type = private name = "private_0x000000007f904000" filename = "" Region: id = 2826 start_va = 0x2b7b0000 end_va = 0x2b7effff entry_point = 0x0 region_type = private name = "private_0x000000002b7b0000" filename = "" Region: id = 2827 start_va = 0x2b7f0000 end_va = 0x2b8effff entry_point = 0x0 region_type = private name = "private_0x000000002b7f0000" filename = "" Region: id = 2828 start_va = 0x7f8fe000 end_va = 0x7f900fff entry_point = 0x0 region_type = private name = "private_0x000000007f8fe000" filename = "" Region: id = 2829 start_va = 0x2b8f0000 end_va = 0x2b92ffff entry_point = 0x0 region_type = private name = "private_0x000000002b8f0000" filename = "" Region: id = 2830 start_va = 0x2b930000 end_va = 0x2ba2ffff entry_point = 0x0 region_type = private name = "private_0x000000002b930000" filename = "" Region: id = 2831 start_va = 0x7f8fb000 end_va = 0x7f8fdfff entry_point = 0x0 region_type = private name = "private_0x000000007f8fb000" filename = "" Region: id = 2832 start_va = 0x2ba30000 end_va = 0x2ba6ffff entry_point = 0x0 region_type = private name = "private_0x000000002ba30000" filename = "" Region: id = 2833 start_va = 0x2ba70000 end_va = 0x2bb6ffff entry_point = 0x0 region_type = private name = "private_0x000000002ba70000" filename = "" Region: id = 2834 start_va = 0x7f8f8000 end_va = 0x7f8fafff entry_point = 0x0 region_type = private name = "private_0x000000007f8f8000" filename = "" Region: id = 2835 start_va = 0x2bb70000 end_va = 0x2bbaffff entry_point = 0x0 region_type = private name = "private_0x000000002bb70000" filename = "" Region: id = 2836 start_va = 0x2bbb0000 end_va = 0x2bcaffff entry_point = 0x0 region_type = private name = "private_0x000000002bbb0000" filename = "" Region: id = 2837 start_va = 0x7f8f5000 end_va = 0x7f8f7fff entry_point = 0x0 region_type = private name = "private_0x000000007f8f5000" filename = "" Region: id = 2838 start_va = 0x2bcb0000 end_va = 0x2bceffff entry_point = 0x0 region_type = private name = "private_0x000000002bcb0000" filename = "" Region: id = 2839 start_va = 0x2bcf0000 end_va = 0x2bdeffff entry_point = 0x0 region_type = private name = "private_0x000000002bcf0000" filename = "" Region: id = 2840 start_va = 0x7f8f2000 end_va = 0x7f8f4fff entry_point = 0x0 region_type = private name = "private_0x000000007f8f2000" filename = "" Region: id = 2841 start_va = 0x2bdf0000 end_va = 0x2be2ffff entry_point = 0x0 region_type = private name = "private_0x000000002bdf0000" filename = "" Region: id = 2842 start_va = 0x2be30000 end_va = 0x2bf2ffff entry_point = 0x0 region_type = private name = "private_0x000000002be30000" filename = "" Region: id = 2843 start_va = 0x7f8ef000 end_va = 0x7f8f1fff entry_point = 0x0 region_type = private name = "private_0x000000007f8ef000" filename = "" Region: id = 2844 start_va = 0x2bf30000 end_va = 0x2bf6ffff entry_point = 0x0 region_type = private name = "private_0x000000002bf30000" filename = "" Region: id = 2845 start_va = 0x2bf70000 end_va = 0x2c06ffff entry_point = 0x0 region_type = private name = "private_0x000000002bf70000" filename = "" Region: id = 2846 start_va = 0x7f8ec000 end_va = 0x7f8eefff entry_point = 0x0 region_type = private name = "private_0x000000007f8ec000" filename = "" Region: id = 2847 start_va = 0x2c070000 end_va = 0x2c0affff entry_point = 0x0 region_type = private name = "private_0x000000002c070000" filename = "" Region: id = 2848 start_va = 0x2c0b0000 end_va = 0x2c1affff entry_point = 0x0 region_type = private name = "private_0x000000002c0b0000" filename = "" Region: id = 2849 start_va = 0x7f8e9000 end_va = 0x7f8ebfff entry_point = 0x0 region_type = private name = "private_0x000000007f8e9000" filename = "" Region: id = 2850 start_va = 0x2c1b0000 end_va = 0x2c1effff entry_point = 0x0 region_type = private name = "private_0x000000002c1b0000" filename = "" Region: id = 2851 start_va = 0x2c1f0000 end_va = 0x2c2effff entry_point = 0x0 region_type = private name = "private_0x000000002c1f0000" filename = "" Region: id = 2852 start_va = 0x2c2f0000 end_va = 0x2c32ffff entry_point = 0x0 region_type = private name = "private_0x000000002c2f0000" filename = "" Region: id = 2853 start_va = 0x2c330000 end_va = 0x2c42ffff entry_point = 0x0 region_type = private name = "private_0x000000002c330000" filename = "" Region: id = 2854 start_va = 0x7f8e3000 end_va = 0x7f8e5fff entry_point = 0x0 region_type = private name = "private_0x000000007f8e3000" filename = "" Region: id = 2855 start_va = 0x7f8e6000 end_va = 0x7f8e8fff entry_point = 0x0 region_type = private name = "private_0x000000007f8e6000" filename = "" Region: id = 2856 start_va = 0x2c430000 end_va = 0x2c46ffff entry_point = 0x0 region_type = private name = "private_0x000000002c430000" filename = "" Region: id = 2857 start_va = 0x2c470000 end_va = 0x2c56ffff entry_point = 0x0 region_type = private name = "private_0x000000002c470000" filename = "" Region: id = 2858 start_va = 0x7f8e0000 end_va = 0x7f8e2fff entry_point = 0x0 region_type = private name = "private_0x000000007f8e0000" filename = "" Region: id = 2859 start_va = 0x2c570000 end_va = 0x2c5affff entry_point = 0x0 region_type = private name = "private_0x000000002c570000" filename = "" Region: id = 2860 start_va = 0x2c5b0000 end_va = 0x2c6affff entry_point = 0x0 region_type = private name = "private_0x000000002c5b0000" filename = "" Region: id = 2861 start_va = 0x7f8dd000 end_va = 0x7f8dffff entry_point = 0x0 region_type = private name = "private_0x000000007f8dd000" filename = "" Region: id = 2862 start_va = 0x31d0000 end_va = 0x31d0fff entry_point = 0x31d0000 region_type = mapped_file name = "acrobat reader dc.lnk" filename = "\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" (normalized: "c:\\users\\public\\desktop\\acrobat reader dc.lnk") Region: id = 2863 start_va = 0x2c6b0000 end_va = 0x2c6effff entry_point = 0x0 region_type = private name = "private_0x000000002c6b0000" filename = "" Region: id = 2864 start_va = 0x2c6f0000 end_va = 0x2c7effff entry_point = 0x0 region_type = private name = "private_0x000000002c6f0000" filename = "" Region: id = 2865 start_va = 0x7f8da000 end_va = 0x7f8dcfff entry_point = 0x0 region_type = private name = "private_0x000000007f8da000" filename = "" Region: id = 2866 start_va = 0x2c7f0000 end_va = 0x2c82ffff entry_point = 0x0 region_type = private name = "private_0x000000002c7f0000" filename = "" Region: id = 2867 start_va = 0x2c830000 end_va = 0x2c92ffff entry_point = 0x0 region_type = private name = "private_0x000000002c830000" filename = "" Region: id = 2868 start_va = 0x7f8d7000 end_va = 0x7f8d9fff entry_point = 0x0 region_type = private name = "private_0x000000007f8d7000" filename = "" Region: id = 2869 start_va = 0x2c930000 end_va = 0x2c96ffff entry_point = 0x0 region_type = private name = "private_0x000000002c930000" filename = "" Region: id = 2870 start_va = 0x2c970000 end_va = 0x2ca6ffff entry_point = 0x0 region_type = private name = "private_0x000000002c970000" filename = "" Region: id = 2871 start_va = 0x2ca70000 end_va = 0x2caaffff entry_point = 0x0 region_type = private name = "private_0x000000002ca70000" filename = "" Region: id = 2872 start_va = 0x2cab0000 end_va = 0x2cbaffff entry_point = 0x0 region_type = private name = "private_0x000000002cab0000" filename = "" Region: id = 2873 start_va = 0x7f8d1000 end_va = 0x7f8d3fff entry_point = 0x0 region_type = private name = "private_0x000000007f8d1000" filename = "" Region: id = 2874 start_va = 0x7f8d4000 end_va = 0x7f8d6fff entry_point = 0x0 region_type = private name = "private_0x000000007f8d4000" filename = "" Region: id = 2875 start_va = 0x2cbb0000 end_va = 0x2cbeffff entry_point = 0x0 region_type = private name = "private_0x000000002cbb0000" filename = "" Region: id = 2876 start_va = 0x2cbf0000 end_va = 0x2cceffff entry_point = 0x0 region_type = private name = "private_0x000000002cbf0000" filename = "" Region: id = 2877 start_va = 0x7f8ce000 end_va = 0x7f8d0fff entry_point = 0x0 region_type = private name = "private_0x000000007f8ce000" filename = "" Region: id = 2878 start_va = 0x2ccf0000 end_va = 0x2cd2ffff entry_point = 0x0 region_type = private name = "private_0x000000002ccf0000" filename = "" Region: id = 2879 start_va = 0x2cd30000 end_va = 0x2ce2ffff entry_point = 0x0 region_type = private name = "private_0x000000002cd30000" filename = "" Region: id = 2880 start_va = 0x7f8cb000 end_va = 0x7f8cdfff entry_point = 0x0 region_type = private name = "private_0x000000007f8cb000" filename = "" Region: id = 2881 start_va = 0x2ce30000 end_va = 0x2ce6ffff entry_point = 0x0 region_type = private name = "private_0x000000002ce30000" filename = "" Region: id = 2882 start_va = 0x2ce70000 end_va = 0x2cf6ffff entry_point = 0x0 region_type = private name = "private_0x000000002ce70000" filename = "" Region: id = 2883 start_va = 0x7f8c8000 end_va = 0x7f8cafff entry_point = 0x0 region_type = private name = "private_0x000000007f8c8000" filename = "" Region: id = 2884 start_va = 0x2cf70000 end_va = 0x2cfaffff entry_point = 0x0 region_type = private name = "private_0x000000002cf70000" filename = "" Region: id = 2885 start_va = 0x2cfb0000 end_va = 0x2d0affff entry_point = 0x0 region_type = private name = "private_0x000000002cfb0000" filename = "" Region: id = 2886 start_va = 0x7f8c5000 end_va = 0x7f8c7fff entry_point = 0x0 region_type = private name = "private_0x000000007f8c5000" filename = "" Region: id = 2887 start_va = 0x2d0b0000 end_va = 0x2d0effff entry_point = 0x0 region_type = private name = "private_0x000000002d0b0000" filename = "" Region: id = 2888 start_va = 0x2d0f0000 end_va = 0x2d1effff entry_point = 0x0 region_type = private name = "private_0x000000002d0f0000" filename = "" Region: id = 2889 start_va = 0x7f8c2000 end_va = 0x7f8c4fff entry_point = 0x0 region_type = private name = "private_0x000000007f8c2000" filename = "" Region: id = 2890 start_va = 0x2d1f0000 end_va = 0x2d22ffff entry_point = 0x0 region_type = private name = "private_0x000000002d1f0000" filename = "" Region: id = 2891 start_va = 0x2d230000 end_va = 0x2d32ffff entry_point = 0x0 region_type = private name = "private_0x000000002d230000" filename = "" Region: id = 2892 start_va = 0x7f8bf000 end_va = 0x7f8c1fff entry_point = 0x0 region_type = private name = "private_0x000000007f8bf000" filename = "" Region: id = 2893 start_va = 0x2d330000 end_va = 0x2d36ffff entry_point = 0x0 region_type = private name = "private_0x000000002d330000" filename = "" Region: id = 2894 start_va = 0x2d370000 end_va = 0x2d46ffff entry_point = 0x0 region_type = private name = "private_0x000000002d370000" filename = "" Region: id = 2895 start_va = 0x2d470000 end_va = 0x2d4affff entry_point = 0x0 region_type = private name = "private_0x000000002d470000" filename = "" Region: id = 2896 start_va = 0x2d4b0000 end_va = 0x2d5affff entry_point = 0x0 region_type = private name = "private_0x000000002d4b0000" filename = "" Region: id = 2897 start_va = 0x7f8b9000 end_va = 0x7f8bbfff entry_point = 0x0 region_type = private name = "private_0x000000007f8b9000" filename = "" Region: id = 2898 start_va = 0x7f8bc000 end_va = 0x7f8befff entry_point = 0x0 region_type = private name = "private_0x000000007f8bc000" filename = "" Region: id = 2899 start_va = 0x2d5b0000 end_va = 0x2d5effff entry_point = 0x0 region_type = private name = "private_0x000000002d5b0000" filename = "" Region: id = 2900 start_va = 0x2d5f0000 end_va = 0x2d6effff entry_point = 0x0 region_type = private name = "private_0x000000002d5f0000" filename = "" Region: id = 2901 start_va = 0x7f8b6000 end_va = 0x7f8b8fff entry_point = 0x0 region_type = private name = "private_0x000000007f8b6000" filename = "" Region: id = 2902 start_va = 0x2d6f0000 end_va = 0x2d72ffff entry_point = 0x0 region_type = private name = "private_0x000000002d6f0000" filename = "" Region: id = 2903 start_va = 0x2d730000 end_va = 0x2d82ffff entry_point = 0x0 region_type = private name = "private_0x000000002d730000" filename = "" Region: id = 2904 start_va = 0x7f8b3000 end_va = 0x7f8b5fff entry_point = 0x0 region_type = private name = "private_0x000000007f8b3000" filename = "" Region: id = 2905 start_va = 0x2d830000 end_va = 0x2d86ffff entry_point = 0x0 region_type = private name = "private_0x000000002d830000" filename = "" Region: id = 2906 start_va = 0x2d870000 end_va = 0x2d96ffff entry_point = 0x0 region_type = private name = "private_0x000000002d870000" filename = "" Region: id = 2907 start_va = 0x2d970000 end_va = 0x2d9affff entry_point = 0x0 region_type = private name = "private_0x000000002d970000" filename = "" Region: id = 2908 start_va = 0x2d9b0000 end_va = 0x2daaffff entry_point = 0x0 region_type = private name = "private_0x000000002d9b0000" filename = "" Region: id = 2909 start_va = 0x2dab0000 end_va = 0x2daeffff entry_point = 0x0 region_type = private name = "private_0x000000002dab0000" filename = "" Region: id = 2910 start_va = 0x2daf0000 end_va = 0x2dbeffff entry_point = 0x0 region_type = private name = "private_0x000000002daf0000" filename = "" Region: id = 2911 start_va = 0x2dbf0000 end_va = 0x2dc2ffff entry_point = 0x0 region_type = private name = "private_0x000000002dbf0000" filename = "" Region: id = 2912 start_va = 0x2dc30000 end_va = 0x2dd2ffff entry_point = 0x0 region_type = private name = "private_0x000000002dc30000" filename = "" Region: id = 2913 start_va = 0x7f8a7000 end_va = 0x7f8a9fff entry_point = 0x0 region_type = private name = "private_0x000000007f8a7000" filename = "" Region: id = 2914 start_va = 0x7f8aa000 end_va = 0x7f8acfff entry_point = 0x0 region_type = private name = "private_0x000000007f8aa000" filename = "" Region: id = 2915 start_va = 0x7f8ad000 end_va = 0x7f8affff entry_point = 0x0 region_type = private name = "private_0x000000007f8ad000" filename = "" Region: id = 2916 start_va = 0x7f8b0000 end_va = 0x7f8b2fff entry_point = 0x0 region_type = private name = "private_0x000000007f8b0000" filename = "" Region: id = 2917 start_va = 0x2dd30000 end_va = 0x2dd6ffff entry_point = 0x0 region_type = private name = "private_0x000000002dd30000" filename = "" Region: id = 2918 start_va = 0x2dd70000 end_va = 0x2de6ffff entry_point = 0x0 region_type = private name = "private_0x000000002dd70000" filename = "" Region: id = 2919 start_va = 0x2de70000 end_va = 0x2deaffff entry_point = 0x0 region_type = private name = "private_0x000000002de70000" filename = "" Region: id = 2920 start_va = 0x2deb0000 end_va = 0x2dfaffff entry_point = 0x0 region_type = private name = "private_0x000000002deb0000" filename = "" Region: id = 2921 start_va = 0x7f8a1000 end_va = 0x7f8a3fff entry_point = 0x0 region_type = private name = "private_0x000000007f8a1000" filename = "" Region: id = 2922 start_va = 0x7f8a4000 end_va = 0x7f8a6fff entry_point = 0x0 region_type = private name = "private_0x000000007f8a4000" filename = "" Region: id = 2923 start_va = 0x7190000 end_va = 0x728ffff entry_point = 0x0 region_type = private name = "private_0x0000000007190000" filename = "" Region: id = 2924 start_va = 0x7550000 end_va = 0x764ffff entry_point = 0x0 region_type = private name = "private_0x0000000007550000" filename = "" Region: id = 2925 start_va = 0x2dfb0000 end_va = 0x2dfeffff entry_point = 0x0 region_type = private name = "private_0x000000002dfb0000" filename = "" Region: id = 2926 start_va = 0x2dff0000 end_va = 0x2e0effff entry_point = 0x0 region_type = private name = "private_0x000000002dff0000" filename = "" Region: id = 2927 start_va = 0x7f89e000 end_va = 0x7f8a0fff entry_point = 0x0 region_type = private name = "private_0x000000007f89e000" filename = "" Region: id = 2928 start_va = 0x7290000 end_va = 0x72cffff entry_point = 0x0 region_type = private name = "private_0x0000000007290000" filename = "" Region: id = 2929 start_va = 0x8050000 end_va = 0x814ffff entry_point = 0x0 region_type = private name = "private_0x0000000008050000" filename = "" Region: id = 2930 start_va = 0x7fdf9000 end_va = 0x7fdfbfff entry_point = 0x0 region_type = private name = "private_0x000000007fdf9000" filename = "" Region: id = 2931 start_va = 0x7650000 end_va = 0x768ffff entry_point = 0x0 region_type = private name = "private_0x0000000007650000" filename = "" Region: id = 2932 start_va = 0x8350000 end_va = 0x844ffff entry_point = 0x0 region_type = private name = "private_0x0000000008350000" filename = "" Region: id = 2933 start_va = 0x7fde1000 end_va = 0x7fde3fff entry_point = 0x0 region_type = private name = "private_0x000000007fde1000" filename = "" Region: id = 2934 start_va = 0x8450000 end_va = 0x848ffff entry_point = 0x0 region_type = private name = "private_0x0000000008450000" filename = "" Region: id = 2935 start_va = 0x85d0000 end_va = 0x86cffff entry_point = 0x0 region_type = private name = "private_0x00000000085d0000" filename = "" Region: id = 2936 start_va = 0x7fdd8000 end_va = 0x7fddafff entry_point = 0x0 region_type = private name = "private_0x000000007fdd8000" filename = "" Region: id = 2937 start_va = 0x86d0000 end_va = 0x870ffff entry_point = 0x0 region_type = private name = "private_0x00000000086d0000" filename = "" Region: id = 2938 start_va = 0x9190000 end_va = 0x928ffff entry_point = 0x0 region_type = private name = "private_0x0000000009190000" filename = "" Region: id = 2939 start_va = 0x7fdd2000 end_va = 0x7fdd4fff entry_point = 0x0 region_type = private name = "private_0x000000007fdd2000" filename = "" Region: id = 2940 start_va = 0x9290000 end_va = 0x92cffff entry_point = 0x0 region_type = private name = "private_0x0000000009290000" filename = "" Region: id = 2941 start_va = 0x92d0000 end_va = 0x93cffff entry_point = 0x0 region_type = private name = "private_0x00000000092d0000" filename = "" Region: id = 2942 start_va = 0x7fdc9000 end_va = 0x7fdcbfff entry_point = 0x0 region_type = private name = "private_0x000000007fdc9000" filename = "" Region: id = 2943 start_va = 0x93d0000 end_va = 0x940ffff entry_point = 0x0 region_type = private name = "private_0x00000000093d0000" filename = "" Region: id = 2944 start_va = 0x9410000 end_va = 0x950ffff entry_point = 0x0 region_type = private name = "private_0x0000000009410000" filename = "" Region: id = 2945 start_va = 0x7fdc6000 end_va = 0x7fdc8fff entry_point = 0x0 region_type = private name = "private_0x000000007fdc6000" filename = "" Region: id = 2946 start_va = 0x9510000 end_va = 0x954ffff entry_point = 0x0 region_type = private name = "private_0x0000000009510000" filename = "" Region: id = 2947 start_va = 0x9690000 end_va = 0x978ffff entry_point = 0x0 region_type = private name = "private_0x0000000009690000" filename = "" Region: id = 2948 start_va = 0x7fdc3000 end_va = 0x7fdc5fff entry_point = 0x0 region_type = private name = "private_0x000000007fdc3000" filename = "" Region: id = 2949 start_va = 0x9790000 end_va = 0x97cffff entry_point = 0x0 region_type = private name = "private_0x0000000009790000" filename = "" Region: id = 2950 start_va = 0x9a50000 end_va = 0x9b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000009a50000" filename = "" Region: id = 2951 start_va = 0x7fdbd000 end_va = 0x7fdbffff entry_point = 0x0 region_type = private name = "private_0x000000007fdbd000" filename = "" Region: id = 2952 start_va = 0x9b50000 end_va = 0x9b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000009b50000" filename = "" Region: id = 2953 start_va = 0x9b90000 end_va = 0x9c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000009b90000" filename = "" Region: id = 2954 start_va = 0x7fdb4000 end_va = 0x7fdb6fff entry_point = 0x0 region_type = private name = "private_0x000000007fdb4000" filename = "" Region: id = 2955 start_va = 0x9c90000 end_va = 0x9ccffff entry_point = 0x0 region_type = private name = "private_0x0000000009c90000" filename = "" Region: id = 2956 start_va = 0x9cd0000 end_va = 0x9dcffff entry_point = 0x0 region_type = private name = "private_0x0000000009cd0000" filename = "" Region: id = 2957 start_va = 0x9dd0000 end_va = 0x9e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000009dd0000" filename = "" Region: id = 2958 start_va = 0x9e10000 end_va = 0x9f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000009e10000" filename = "" Region: id = 2959 start_va = 0x7fdae000 end_va = 0x7fdb0fff entry_point = 0x0 region_type = private name = "private_0x000000007fdae000" filename = "" Region: id = 2960 start_va = 0x7fdb1000 end_va = 0x7fdb3fff entry_point = 0x0 region_type = private name = "private_0x000000007fdb1000" filename = "" Region: id = 2961 start_va = 0x2bc0000 end_va = 0x2bfffff entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 2962 start_va = 0x3700000 end_va = 0x37fffff entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 2963 start_va = 0x7fe8c000 end_va = 0x7fe8efff entry_point = 0x0 region_type = private name = "private_0x000000007fe8c000" filename = "" Region: id = 2964 start_va = 0x3300000 end_va = 0x333ffff entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 2965 start_va = 0x3800000 end_va = 0x38fffff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 2966 start_va = 0x4640000 end_va = 0x467ffff entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 2967 start_va = 0x4680000 end_va = 0x477ffff entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 2968 start_va = 0x9f10000 end_va = 0x9f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000009f10000" filename = "" Region: id = 2969 start_va = 0x9f50000 end_va = 0xa04ffff entry_point = 0x0 region_type = private name = "private_0x0000000009f50000" filename = "" Region: id = 2970 start_va = 0xa050000 end_va = 0xa08ffff entry_point = 0x0 region_type = private name = "private_0x000000000a050000" filename = "" Region: id = 2971 start_va = 0xa090000 end_va = 0xa18ffff entry_point = 0x0 region_type = private name = "private_0x000000000a090000" filename = "" Region: id = 2972 start_va = 0x7fda8000 end_va = 0x7fdaafff entry_point = 0x0 region_type = private name = "private_0x000000007fda8000" filename = "" Region: id = 2973 start_va = 0x7fdab000 end_va = 0x7fdadfff entry_point = 0x0 region_type = private name = "private_0x000000007fdab000" filename = "" Region: id = 2974 start_va = 0x7fe62000 end_va = 0x7fe64fff entry_point = 0x0 region_type = private name = "private_0x000000007fe62000" filename = "" Region: id = 2975 start_va = 0x7fe80000 end_va = 0x7fe82fff entry_point = 0x0 region_type = private name = "private_0x000000007fe80000" filename = "" Region: id = 2976 start_va = 0xa190000 end_va = 0xa1cffff entry_point = 0x0 region_type = private name = "private_0x000000000a190000" filename = "" Region: id = 2977 start_va = 0xa1d0000 end_va = 0xa2cffff entry_point = 0x0 region_type = private name = "private_0x000000000a1d0000" filename = "" Region: id = 2978 start_va = 0x7fda5000 end_va = 0x7fda7fff entry_point = 0x0 region_type = private name = "private_0x000000007fda5000" filename = "" Region: id = 2979 start_va = 0xa2d0000 end_va = 0xa30ffff entry_point = 0x0 region_type = private name = "private_0x000000000a2d0000" filename = "" Region: id = 2980 start_va = 0xb0d0000 end_va = 0xb1cffff entry_point = 0x0 region_type = private name = "private_0x000000000b0d0000" filename = "" Region: id = 2981 start_va = 0x7fda2000 end_va = 0x7fda4fff entry_point = 0x0 region_type = private name = "private_0x000000007fda2000" filename = "" Region: id = 2982 start_va = 0xb1d0000 end_va = 0xb20ffff entry_point = 0x0 region_type = private name = "private_0x000000000b1d0000" filename = "" Region: id = 2983 start_va = 0xb850000 end_va = 0xb94ffff entry_point = 0x0 region_type = private name = "private_0x000000000b850000" filename = "" Region: id = 2984 start_va = 0x7fd7e000 end_va = 0x7fd80fff entry_point = 0x0 region_type = private name = "private_0x000000007fd7e000" filename = "" Region: id = 2985 start_va = 0xb950000 end_va = 0xb98ffff entry_point = 0x0 region_type = private name = "private_0x000000000b950000" filename = "" Region: id = 2986 start_va = 0xbad0000 end_va = 0xbbcffff entry_point = 0x0 region_type = private name = "private_0x000000000bad0000" filename = "" Region: id = 2987 start_va = 0xbbd0000 end_va = 0xbc0ffff entry_point = 0x0 region_type = private name = "private_0x000000000bbd0000" filename = "" Region: id = 2988 start_va = 0xbc10000 end_va = 0xbd0ffff entry_point = 0x0 region_type = private name = "private_0x000000000bc10000" filename = "" Region: id = 2989 start_va = 0x7fd66000 end_va = 0x7fd68fff entry_point = 0x0 region_type = private name = "private_0x000000007fd66000" filename = "" Region: id = 2990 start_va = 0x7fd6c000 end_va = 0x7fd6efff entry_point = 0x0 region_type = private name = "private_0x000000007fd6c000" filename = "" Region: id = 2991 start_va = 0xbd10000 end_va = 0xbd4ffff entry_point = 0x0 region_type = private name = "private_0x000000000bd10000" filename = "" Region: id = 2992 start_va = 0xbe90000 end_va = 0xbf8ffff entry_point = 0x0 region_type = private name = "private_0x000000000be90000" filename = "" Region: id = 2993 start_va = 0x7fd63000 end_va = 0x7fd65fff entry_point = 0x0 region_type = private name = "private_0x000000007fd63000" filename = "" Region: id = 2994 start_va = 0xbf90000 end_va = 0xbfcffff entry_point = 0x0 region_type = private name = "private_0x000000000bf90000" filename = "" Region: id = 2995 start_va = 0xbfd0000 end_va = 0xc0cffff entry_point = 0x0 region_type = private name = "private_0x000000000bfd0000" filename = "" Region: id = 2996 start_va = 0xc0d0000 end_va = 0xc10ffff entry_point = 0x0 region_type = private name = "private_0x000000000c0d0000" filename = "" Region: id = 2997 start_va = 0xce90000 end_va = 0xcf8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ce90000" filename = "" Region: id = 2998 start_va = 0x7fd5a000 end_va = 0x7fd5cfff entry_point = 0x0 region_type = private name = "private_0x000000007fd5a000" filename = "" Region: id = 2999 start_va = 0x7fd5d000 end_va = 0x7fd5ffff entry_point = 0x0 region_type = private name = "private_0x000000007fd5d000" filename = "" Region: id = 3000 start_va = 0xcf90000 end_va = 0xcfcffff entry_point = 0x0 region_type = private name = "private_0x000000000cf90000" filename = "" Region: id = 3001 start_va = 0xd150000 end_va = 0xd24ffff entry_point = 0x0 region_type = private name = "private_0x000000000d150000" filename = "" Region: id = 3002 start_va = 0xd250000 end_va = 0xd28ffff entry_point = 0x0 region_type = private name = "private_0x000000000d250000" filename = "" Region: id = 3003 start_va = 0xdf10000 end_va = 0xe00ffff entry_point = 0x0 region_type = private name = "private_0x000000000df10000" filename = "" Region: id = 3004 start_va = 0xe010000 end_va = 0xe04ffff entry_point = 0x0 region_type = private name = "private_0x000000000e010000" filename = "" Region: id = 3005 start_va = 0xe550000 end_va = 0xe64ffff entry_point = 0x0 region_type = private name = "private_0x000000000e550000" filename = "" Region: id = 3006 start_va = 0xe650000 end_va = 0xe68ffff entry_point = 0x0 region_type = private name = "private_0x000000000e650000" filename = "" Region: id = 3007 start_va = 0xf090000 end_va = 0xf18ffff entry_point = 0x0 region_type = private name = "private_0x000000000f090000" filename = "" Region: id = 3008 start_va = 0xf190000 end_va = 0xf1cffff entry_point = 0x0 region_type = private name = "private_0x000000000f190000" filename = "" Region: id = 3009 start_va = 0xf1d0000 end_va = 0xf2cffff entry_point = 0x0 region_type = private name = "private_0x000000000f1d0000" filename = "" Region: id = 3010 start_va = 0xf2d0000 end_va = 0xf30ffff entry_point = 0x0 region_type = private name = "private_0x000000000f2d0000" filename = "" Region: id = 3011 start_va = 0xf310000 end_va = 0xf40ffff entry_point = 0x0 region_type = private name = "private_0x000000000f310000" filename = "" Region: id = 3012 start_va = 0x7fce2000 end_va = 0x7fce4fff entry_point = 0x0 region_type = private name = "private_0x000000007fce2000" filename = "" Region: id = 3013 start_va = 0x7fce5000 end_va = 0x7fce7fff entry_point = 0x0 region_type = private name = "private_0x000000007fce5000" filename = "" Region: id = 3014 start_va = 0x7fd00000 end_va = 0x7fd02fff entry_point = 0x0 region_type = private name = "private_0x000000007fd00000" filename = "" Region: id = 3015 start_va = 0x7fd0f000 end_va = 0x7fd11fff entry_point = 0x0 region_type = private name = "private_0x000000007fd0f000" filename = "" Region: id = 3016 start_va = 0x7fd30000 end_va = 0x7fd32fff entry_point = 0x0 region_type = private name = "private_0x000000007fd30000" filename = "" Region: id = 3017 start_va = 0x7fd39000 end_va = 0x7fd3bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd39000" filename = "" Region: id = 3018 start_va = 0xf410000 end_va = 0xf44ffff entry_point = 0x0 region_type = private name = "private_0x000000000f410000" filename = "" Region: id = 3019 start_va = 0x117a0000 end_va = 0x1189ffff entry_point = 0x0 region_type = private name = "private_0x00000000117a0000" filename = "" Region: id = 3020 start_va = 0x7fcdf000 end_va = 0x7fce1fff entry_point = 0x0 region_type = private name = "private_0x000000007fcdf000" filename = "" Region: id = 3021 start_va = 0x118a0000 end_va = 0x118dffff entry_point = 0x0 region_type = private name = "private_0x00000000118a0000" filename = "" Region: id = 3022 start_va = 0x118e0000 end_va = 0x119dffff entry_point = 0x0 region_type = private name = "private_0x00000000118e0000" filename = "" Region: id = 3023 start_va = 0x7fcb5000 end_va = 0x7fcb7fff entry_point = 0x0 region_type = private name = "private_0x000000007fcb5000" filename = "" Region: id = 3024 start_va = 0x119e0000 end_va = 0x11a1ffff entry_point = 0x0 region_type = private name = "private_0x00000000119e0000" filename = "" Region: id = 3025 start_va = 0x12460000 end_va = 0x1255ffff entry_point = 0x0 region_type = private name = "private_0x0000000012460000" filename = "" Region: id = 3026 start_va = 0x7fcaf000 end_va = 0x7fcb1fff entry_point = 0x0 region_type = private name = "private_0x000000007fcaf000" filename = "" Region: id = 3027 start_va = 0x2d40000 end_va = 0x2e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 3028 start_va = 0x30c0000 end_va = 0x30fffff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 3029 start_va = 0x3340000 end_va = 0x343ffff entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 3030 start_va = 0x7fe8f000 end_va = 0x7fe91fff entry_point = 0x0 region_type = private name = "private_0x000000007fe8f000" filename = "" Region: id = 3031 start_va = 0x3100000 end_va = 0x313ffff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 3032 start_va = 0x35c0000 end_va = 0x36bffff entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 3033 start_va = 0x7fe89000 end_va = 0x7fe8bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe89000" filename = "" Region: id = 3034 start_va = 0x3440000 end_va = 0x347ffff entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 3035 start_va = 0x6150000 end_va = 0x624ffff entry_point = 0x0 region_type = private name = "private_0x0000000006150000" filename = "" Region: id = 3036 start_va = 0x7fe83000 end_va = 0x7fe85fff entry_point = 0x0 region_type = private name = "private_0x000000007fe83000" filename = "" Region: id = 3037 start_va = 0x36c0000 end_va = 0x36fffff entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 3038 start_va = 0x72d0000 end_va = 0x73cffff entry_point = 0x0 region_type = private name = "private_0x00000000072d0000" filename = "" Region: id = 3039 start_va = 0x7fe29000 end_va = 0x7fe2bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe29000" filename = "" Region: id = 3040 start_va = 0x6250000 end_va = 0x628ffff entry_point = 0x0 region_type = private name = "private_0x0000000006250000" filename = "" Region: id = 3041 start_va = 0x73d0000 end_va = 0x74cffff entry_point = 0x0 region_type = private name = "private_0x00000000073d0000" filename = "" Region: id = 3042 start_va = 0x7fdff000 end_va = 0x7fe01fff entry_point = 0x0 region_type = private name = "private_0x000000007fdff000" filename = "" Region: id = 3043 start_va = 0x74d0000 end_va = 0x750ffff entry_point = 0x0 region_type = private name = "private_0x00000000074d0000" filename = "" Region: id = 3044 start_va = 0x7910000 end_va = 0x7a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000007910000" filename = "" Region: id = 3045 start_va = 0x7fdfc000 end_va = 0x7fdfefff entry_point = 0x0 region_type = private name = "private_0x000000007fdfc000" filename = "" Region: id = 3046 start_va = 0x7510000 end_va = 0x754ffff entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 3047 start_va = 0x7a10000 end_va = 0x7b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000007a10000" filename = "" Region: id = 3048 start_va = 0x7fdf0000 end_va = 0x7fdf2fff entry_point = 0x0 region_type = private name = "private_0x000000007fdf0000" filename = "" Region: id = 3049 start_va = 0x7b10000 end_va = 0x7b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000007b10000" filename = "" Region: id = 3050 start_va = 0x7b50000 end_va = 0x7c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000007b50000" filename = "" Region: id = 3051 start_va = 0x7fded000 end_va = 0x7fdeffff entry_point = 0x0 region_type = private name = "private_0x000000007fded000" filename = "" Region: id = 3052 start_va = 0x7c50000 end_va = 0x7c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000007c50000" filename = "" Region: id = 3053 start_va = 0x7e10000 end_va = 0x7f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000007e10000" filename = "" Region: id = 3054 start_va = 0x7fdea000 end_va = 0x7fdecfff entry_point = 0x0 region_type = private name = "private_0x000000007fdea000" filename = "" Region: id = 3055 start_va = 0x7c90000 end_va = 0x7ccffff entry_point = 0x0 region_type = private name = "private_0x0000000007c90000" filename = "" Region: id = 3056 start_va = 0x7f10000 end_va = 0x800ffff entry_point = 0x0 region_type = private name = "private_0x0000000007f10000" filename = "" Region: id = 3057 start_va = 0x7fde4000 end_va = 0x7fde6fff entry_point = 0x0 region_type = private name = "private_0x000000007fde4000" filename = "" Region: id = 3058 start_va = 0x8010000 end_va = 0x804ffff entry_point = 0x0 region_type = private name = "private_0x0000000008010000" filename = "" Region: id = 3059 start_va = 0x8250000 end_va = 0x834ffff entry_point = 0x0 region_type = private name = "private_0x0000000008250000" filename = "" Region: id = 3060 start_va = 0x7fddb000 end_va = 0x7fdddfff entry_point = 0x0 region_type = private name = "private_0x000000007fddb000" filename = "" Region: id = 3061 start_va = 0x8490000 end_va = 0x84cffff entry_point = 0x0 region_type = private name = "private_0x0000000008490000" filename = "" Region: id = 3062 start_va = 0x84d0000 end_va = 0x85cffff entry_point = 0x0 region_type = private name = "private_0x00000000084d0000" filename = "" Region: id = 3063 start_va = 0x8710000 end_va = 0x874ffff entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 3064 start_va = 0x8750000 end_va = 0x884ffff entry_point = 0x0 region_type = private name = "private_0x0000000008750000" filename = "" Region: id = 3065 start_va = 0x7fdcf000 end_va = 0x7fdd1fff entry_point = 0x0 region_type = private name = "private_0x000000007fdcf000" filename = "" Region: id = 3066 start_va = 0x7fdd5000 end_va = 0x7fdd7fff entry_point = 0x0 region_type = private name = "private_0x000000007fdd5000" filename = "" Region: id = 3067 start_va = 0xa450000 end_va = 0xa48ffff entry_point = 0x0 region_type = private name = "private_0x000000000a450000" filename = "" Region: id = 3068 start_va = 0xa490000 end_va = 0xa58ffff entry_point = 0x0 region_type = private name = "private_0x000000000a490000" filename = "" Region: id = 3069 start_va = 0x7fd9c000 end_va = 0x7fd9efff entry_point = 0x0 region_type = private name = "private_0x000000007fd9c000" filename = "" Region: id = 3070 start_va = 0xa590000 end_va = 0xa5cffff entry_point = 0x0 region_type = private name = "private_0x000000000a590000" filename = "" Region: id = 3071 start_va = 0xa5d0000 end_va = 0xa6cffff entry_point = 0x0 region_type = private name = "private_0x000000000a5d0000" filename = "" Region: id = 3072 start_va = 0x7fd99000 end_va = 0x7fd9bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd99000" filename = "" Region: id = 3073 start_va = 0xa810000 end_va = 0xa84ffff entry_point = 0x0 region_type = private name = "private_0x000000000a810000" filename = "" Region: id = 3074 start_va = 0xa850000 end_va = 0xa94ffff entry_point = 0x0 region_type = private name = "private_0x000000000a850000" filename = "" Region: id = 3075 start_va = 0x7fd93000 end_va = 0x7fd95fff entry_point = 0x0 region_type = private name = "private_0x000000007fd93000" filename = "" Region: id = 3076 start_va = 0xcc50000 end_va = 0xcc8ffff entry_point = 0x0 region_type = private name = "private_0x000000000cc50000" filename = "" Region: id = 3077 start_va = 0xcc90000 end_va = 0xcd8ffff entry_point = 0x0 region_type = private name = "private_0x000000000cc90000" filename = "" Region: id = 3078 start_va = 0x7fd3c000 end_va = 0x7fd3efff entry_point = 0x0 region_type = private name = "private_0x000000007fd3c000" filename = "" Region: id = 3079 start_va = 0xda10000 end_va = 0xda4ffff entry_point = 0x0 region_type = private name = "private_0x000000000da10000" filename = "" Region: id = 3080 start_va = 0xda50000 end_va = 0xdb4ffff entry_point = 0x0 region_type = private name = "private_0x000000000da50000" filename = "" Region: id = 3081 start_va = 0x7fd1b000 end_va = 0x7fd1dfff entry_point = 0x0 region_type = private name = "private_0x000000007fd1b000" filename = "" Region: id = 3082 start_va = 0xdb50000 end_va = 0xdb8ffff entry_point = 0x0 region_type = private name = "private_0x000000000db50000" filename = "" Region: id = 3083 start_va = 0xdb90000 end_va = 0xdc8ffff entry_point = 0x0 region_type = private name = "private_0x000000000db90000" filename = "" Region: id = 3084 start_va = 0x7fd18000 end_va = 0x7fd1afff entry_point = 0x0 region_type = private name = "private_0x000000007fd18000" filename = "" Region: id = 3085 start_va = 0xdc90000 end_va = 0xdccffff entry_point = 0x0 region_type = private name = "private_0x000000000dc90000" filename = "" Region: id = 3086 start_va = 0xdcd0000 end_va = 0xddcffff entry_point = 0x0 region_type = private name = "private_0x000000000dcd0000" filename = "" Region: id = 3087 start_va = 0x7fd15000 end_va = 0x7fd17fff entry_point = 0x0 region_type = private name = "private_0x000000007fd15000" filename = "" Region: id = 3088 start_va = 0xe050000 end_va = 0xe08ffff entry_point = 0x0 region_type = private name = "private_0x000000000e050000" filename = "" Region: id = 3089 start_va = 0xe090000 end_va = 0xe18ffff entry_point = 0x0 region_type = private name = "private_0x000000000e090000" filename = "" Region: id = 3090 start_va = 0x7fd0c000 end_va = 0x7fd0efff entry_point = 0x0 region_type = private name = "private_0x000000007fd0c000" filename = "" Region: id = 3091 start_va = 0xe690000 end_va = 0xe6cffff entry_point = 0x0 region_type = private name = "private_0x000000000e690000" filename = "" Region: id = 3092 start_va = 0xe6d0000 end_va = 0xe7cffff entry_point = 0x0 region_type = private name = "private_0x000000000e6d0000" filename = "" Region: id = 3093 start_va = 0x7fcfd000 end_va = 0x7fcfffff entry_point = 0x0 region_type = private name = "private_0x000000007fcfd000" filename = "" Region: id = 3094 start_va = 0xee10000 end_va = 0xee4ffff entry_point = 0x0 region_type = private name = "private_0x000000000ee10000" filename = "" Region: id = 3095 start_va = 0xee50000 end_va = 0xef4ffff entry_point = 0x0 region_type = private name = "private_0x000000000ee50000" filename = "" Region: id = 3096 start_va = 0x7fceb000 end_va = 0x7fcedfff entry_point = 0x0 region_type = private name = "private_0x000000007fceb000" filename = "" Region: id = 3097 start_va = 0xef50000 end_va = 0xef8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ef50000" filename = "" Region: id = 3098 start_va = 0xef90000 end_va = 0xf08ffff entry_point = 0x0 region_type = private name = "private_0x000000000ef90000" filename = "" Region: id = 3099 start_va = 0xff50000 end_va = 0xff8ffff entry_point = 0x0 region_type = private name = "private_0x000000000ff50000" filename = "" Region: id = 3100 start_va = 0xff90000 end_va = 0x1008ffff entry_point = 0x0 region_type = private name = "private_0x000000000ff90000" filename = "" Region: id = 3101 start_va = 0x10310000 end_va = 0x1034ffff entry_point = 0x0 region_type = private name = "private_0x0000000010310000" filename = "" Region: id = 3102 start_va = 0x10350000 end_va = 0x1044ffff entry_point = 0x0 region_type = private name = "private_0x0000000010350000" filename = "" Region: id = 3103 start_va = 0x7fcbb000 end_va = 0x7fcbdfff entry_point = 0x0 region_type = private name = "private_0x000000007fcbb000" filename = "" Region: id = 3104 start_va = 0x7fcc4000 end_va = 0x7fcc6fff entry_point = 0x0 region_type = private name = "private_0x000000007fcc4000" filename = "" Region: id = 3105 start_va = 0x7fce8000 end_va = 0x7fceafff entry_point = 0x0 region_type = private name = "private_0x000000007fce8000" filename = "" Region: id = 3106 start_va = 0x11ba0000 end_va = 0x11bdffff entry_point = 0x0 region_type = private name = "private_0x0000000011ba0000" filename = "" Region: id = 3107 start_va = 0x11be0000 end_va = 0x11cdffff entry_point = 0x0 region_type = private name = "private_0x0000000011be0000" filename = "" Region: id = 3108 start_va = 0x7fca6000 end_va = 0x7fca8fff entry_point = 0x0 region_type = private name = "private_0x000000007fca6000" filename = "" Region: id = 3109 start_va = 0x11ce0000 end_va = 0x11d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000011ce0000" filename = "" Region: id = 3110 start_va = 0x11d20000 end_va = 0x11e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000011d20000" filename = "" Region: id = 3111 start_va = 0x7fca3000 end_va = 0x7fca5fff entry_point = 0x0 region_type = private name = "private_0x000000007fca3000" filename = "" Region: id = 3112 start_va = 0x121e0000 end_va = 0x1221ffff entry_point = 0x0 region_type = private name = "private_0x00000000121e0000" filename = "" Region: id = 3113 start_va = 0x12220000 end_va = 0x1231ffff entry_point = 0x0 region_type = private name = "private_0x0000000012220000" filename = "" Region: id = 3114 start_va = 0x7fca0000 end_va = 0x7fca2fff entry_point = 0x0 region_type = private name = "private_0x000000007fca0000" filename = "" Region: id = 3115 start_va = 0x12320000 end_va = 0x1235ffff entry_point = 0x0 region_type = private name = "private_0x0000000012320000" filename = "" Region: id = 3116 start_va = 0x12360000 end_va = 0x1245ffff entry_point = 0x0 region_type = private name = "private_0x0000000012360000" filename = "" Region: id = 3117 start_va = 0x7fc97000 end_va = 0x7fc99fff entry_point = 0x0 region_type = private name = "private_0x000000007fc97000" filename = "" Region: id = 3118 start_va = 0x12560000 end_va = 0x1259ffff entry_point = 0x0 region_type = private name = "private_0x0000000012560000" filename = "" Region: id = 3119 start_va = 0x12a60000 end_va = 0x12b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000012a60000" filename = "" Region: id = 3120 start_va = 0x7fc94000 end_va = 0x7fc96fff entry_point = 0x0 region_type = private name = "private_0x000000007fc94000" filename = "" Region: id = 3121 start_va = 0x129a0000 end_va = 0x129dffff entry_point = 0x0 region_type = private name = "private_0x00000000129a0000" filename = "" Region: id = 3122 start_va = 0x12b60000 end_va = 0x12c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000012b60000" filename = "" Region: id = 3123 start_va = 0x7fc91000 end_va = 0x7fc93fff entry_point = 0x0 region_type = private name = "private_0x000000007fc91000" filename = "" Region: id = 3124 start_va = 0x129e0000 end_va = 0x12a1ffff entry_point = 0x0 region_type = private name = "private_0x00000000129e0000" filename = "" Region: id = 3125 start_va = 0x12c60000 end_va = 0x12d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000012c60000" filename = "" Region: id = 3126 start_va = 0x7fc85000 end_va = 0x7fc87fff entry_point = 0x0 region_type = private name = "private_0x000000007fc85000" filename = "" Region: id = 3127 start_va = 0x12d60000 end_va = 0x12d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000012d60000" filename = "" Region: id = 3128 start_va = 0x12e20000 end_va = 0x12f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000012e20000" filename = "" Region: id = 3129 start_va = 0x7fc82000 end_va = 0x7fc84fff entry_point = 0x0 region_type = private name = "private_0x000000007fc82000" filename = "" Region: id = 3130 start_va = 0x74350000 end_va = 0x7435efff entry_point = 0x74350000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 3131 start_va = 0xa2d0000 end_va = 0xa30ffff entry_point = 0x0 region_type = private name = "private_0x000000000a2d0000" filename = "" Region: id = 3132 start_va = 0xb0d0000 end_va = 0xb1cffff entry_point = 0x0 region_type = private name = "private_0x000000000b0d0000" filename = "" Region: id = 3133 start_va = 0x7fda2000 end_va = 0x7fda4fff entry_point = 0x0 region_type = private name = "private_0x000000007fda2000" filename = "" Region: id = 3134 start_va = 0xcf90000 end_va = 0xcfcffff entry_point = 0x0 region_type = private name = "private_0x000000000cf90000" filename = "" Region: id = 3135 start_va = 0xd150000 end_va = 0xd24ffff entry_point = 0x0 region_type = private name = "private_0x000000000d150000" filename = "" Region: id = 3136 start_va = 0x7fd39000 end_va = 0x7fd3bfff entry_point = 0x0 region_type = private name = "private_0x000000007fd39000" filename = "" Region: id = 3137 start_va = 0x12da0000 end_va = 0x12ddffff entry_point = 0x0 region_type = private name = "private_0x0000000012da0000" filename = "" Region: id = 3138 start_va = 0x12f20000 end_va = 0x1301ffff entry_point = 0x0 region_type = private name = "private_0x0000000012f20000" filename = "" Region: id = 3139 start_va = 0x7fc7c000 end_va = 0x7fc7efff entry_point = 0x0 region_type = private name = "private_0x000000007fc7c000" filename = "" Region: id = 3140 start_va = 0x13020000 end_va = 0x1305ffff entry_point = 0x0 region_type = private name = "private_0x0000000013020000" filename = "" Region: id = 3141 start_va = 0x13060000 end_va = 0x1315ffff entry_point = 0x0 region_type = private name = "private_0x0000000013060000" filename = "" Region: id = 3142 start_va = 0x7fc79000 end_va = 0x7fc7bfff entry_point = 0x0 region_type = private name = "private_0x000000007fc79000" filename = "" Region: id = 3143 start_va = 0x13160000 end_va = 0x1319ffff entry_point = 0x0 region_type = private name = "private_0x0000000013160000" filename = "" Region: id = 3144 start_va = 0x131a0000 end_va = 0x1329ffff entry_point = 0x0 region_type = private name = "private_0x00000000131a0000" filename = "" Region: id = 3145 start_va = 0x7fc76000 end_va = 0x7fc78fff entry_point = 0x0 region_type = private name = "private_0x000000007fc76000" filename = "" Region: id = 3146 start_va = 0x132a0000 end_va = 0x132dffff entry_point = 0x0 region_type = private name = "private_0x00000000132a0000" filename = "" Region: id = 3147 start_va = 0x132e0000 end_va = 0x133dffff entry_point = 0x0 region_type = private name = "private_0x00000000132e0000" filename = "" Region: id = 3148 start_va = 0x7fc73000 end_va = 0x7fc75fff entry_point = 0x0 region_type = private name = "private_0x000000007fc73000" filename = "" Region: id = 3149 start_va = 0x133e0000 end_va = 0x1341ffff entry_point = 0x0 region_type = private name = "private_0x00000000133e0000" filename = "" Region: id = 3150 start_va = 0x13420000 end_va = 0x1351ffff entry_point = 0x0 region_type = private name = "private_0x0000000013420000" filename = "" Region: id = 3151 start_va = 0x7fc70000 end_va = 0x7fc72fff entry_point = 0x0 region_type = private name = "private_0x000000007fc70000" filename = "" Region: id = 3152 start_va = 0x13520000 end_va = 0x1355ffff entry_point = 0x0 region_type = private name = "private_0x0000000013520000" filename = "" Region: id = 3153 start_va = 0x13560000 end_va = 0x1365ffff entry_point = 0x0 region_type = private name = "private_0x0000000013560000" filename = "" Region: id = 3154 start_va = 0x13660000 end_va = 0x1369ffff entry_point = 0x0 region_type = private name = "private_0x0000000013660000" filename = "" Region: id = 3155 start_va = 0x136a0000 end_va = 0x1379ffff entry_point = 0x0 region_type = private name = "private_0x00000000136a0000" filename = "" Region: id = 3156 start_va = 0x7fc6a000 end_va = 0x7fc6cfff entry_point = 0x0 region_type = private name = "private_0x000000007fc6a000" filename = "" Region: id = 3157 start_va = 0x7fc6d000 end_va = 0x7fc6ffff entry_point = 0x0 region_type = private name = "private_0x000000007fc6d000" filename = "" Region: id = 3158 start_va = 0x137a0000 end_va = 0x137dffff entry_point = 0x0 region_type = private name = "private_0x00000000137a0000" filename = "" Region: id = 3159 start_va = 0x137e0000 end_va = 0x138dffff entry_point = 0x0 region_type = private name = "private_0x00000000137e0000" filename = "" Region: id = 3160 start_va = 0x138e0000 end_va = 0x1391ffff entry_point = 0x0 region_type = private name = "private_0x00000000138e0000" filename = "" Region: id = 3161 start_va = 0x13920000 end_va = 0x13a1ffff entry_point = 0x0 region_type = private name = "private_0x0000000013920000" filename = "" Region: id = 3162 start_va = 0x13a20000 end_va = 0x13a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000013a20000" filename = "" Region: id = 3163 start_va = 0x13a60000 end_va = 0x13b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000013a60000" filename = "" Region: id = 3164 start_va = 0x13b60000 end_va = 0x13b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000013b60000" filename = "" Region: id = 3165 start_va = 0x13ba0000 end_va = 0x13c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000013ba0000" filename = "" Region: id = 3166 start_va = 0x13ca0000 end_va = 0x13cdffff entry_point = 0x0 region_type = private name = "private_0x0000000013ca0000" filename = "" Region: id = 3167 start_va = 0x13ce0000 end_va = 0x13d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000013ce0000" filename = "" Region: id = 3168 start_va = 0x13f60000 end_va = 0x1405ffff entry_point = 0x0 region_type = private name = "private_0x0000000013f60000" filename = "" Region: id = 3169 start_va = 0x14160000 end_va = 0x1425ffff entry_point = 0x0 region_type = private name = "private_0x0000000014160000" filename = "" Region: id = 3170 start_va = 0x14260000 end_va = 0x1429ffff entry_point = 0x0 region_type = private name = "private_0x0000000014260000" filename = "" Region: id = 3171 start_va = 0x142a0000 end_va = 0x1439ffff entry_point = 0x0 region_type = private name = "private_0x00000000142a0000" filename = "" Region: id = 3172 start_va = 0x7fc4c000 end_va = 0x7fc4efff entry_point = 0x0 region_type = private name = "private_0x000000007fc4c000" filename = "" Region: id = 3173 start_va = 0x7fc52000 end_va = 0x7fc54fff entry_point = 0x0 region_type = private name = "private_0x000000007fc52000" filename = "" Region: id = 3174 start_va = 0x7fc5b000 end_va = 0x7fc5dfff entry_point = 0x0 region_type = private name = "private_0x000000007fc5b000" filename = "" Region: id = 3175 start_va = 0x7fc5e000 end_va = 0x7fc60fff entry_point = 0x0 region_type = private name = "private_0x000000007fc5e000" filename = "" Region: id = 3176 start_va = 0x7fc61000 end_va = 0x7fc63fff entry_point = 0x0 region_type = private name = "private_0x000000007fc61000" filename = "" Region: id = 3177 start_va = 0x7fc64000 end_va = 0x7fc66fff entry_point = 0x0 region_type = private name = "private_0x000000007fc64000" filename = "" Region: id = 3178 start_va = 0x7fc67000 end_va = 0x7fc69fff entry_point = 0x0 region_type = private name = "private_0x000000007fc67000" filename = "" Region: id = 3179 start_va = 0x143a0000 end_va = 0x143dffff entry_point = 0x0 region_type = private name = "private_0x00000000143a0000" filename = "" Region: id = 3180 start_va = 0x143e0000 end_va = 0x144dffff entry_point = 0x0 region_type = private name = "private_0x00000000143e0000" filename = "" Region: id = 3181 start_va = 0x144e0000 end_va = 0x1451ffff entry_point = 0x0 region_type = private name = "private_0x00000000144e0000" filename = "" Region: id = 3182 start_va = 0x14ca0000 end_va = 0x14d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000014ca0000" filename = "" Region: id = 3183 start_va = 0x7fc46000 end_va = 0x7fc48fff entry_point = 0x0 region_type = private name = "private_0x000000007fc46000" filename = "" Region: id = 3184 start_va = 0x7fc49000 end_va = 0x7fc4bfff entry_point = 0x0 region_type = private name = "private_0x000000007fc49000" filename = "" Region: id = 3185 start_va = 0x14da0000 end_va = 0x14ddffff entry_point = 0x0 region_type = private name = "private_0x0000000014da0000" filename = "" Region: id = 3186 start_va = 0x14de0000 end_va = 0x14edffff entry_point = 0x0 region_type = private name = "private_0x0000000014de0000" filename = "" Region: id = 3187 start_va = 0x14ee0000 end_va = 0x14f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000014ee0000" filename = "" Region: id = 3188 start_va = 0x14f20000 end_va = 0x1501ffff entry_point = 0x0 region_type = private name = "private_0x0000000014f20000" filename = "" Region: id = 3189 start_va = 0x15020000 end_va = 0x1505ffff entry_point = 0x0 region_type = private name = "private_0x0000000015020000" filename = "" Region: id = 3190 start_va = 0x15060000 end_va = 0x1515ffff entry_point = 0x0 region_type = private name = "private_0x0000000015060000" filename = "" Region: id = 3191 start_va = 0x15160000 end_va = 0x1519ffff entry_point = 0x0 region_type = private name = "private_0x0000000015160000" filename = "" Region: id = 3192 start_va = 0x151a0000 end_va = 0x1529ffff entry_point = 0x0 region_type = private name = "private_0x00000000151a0000" filename = "" Region: id = 3193 start_va = 0x152a0000 end_va = 0x152dffff entry_point = 0x0 region_type = private name = "private_0x00000000152a0000" filename = "" Region: id = 3194 start_va = 0x152e0000 end_va = 0x153dffff entry_point = 0x0 region_type = private name = "private_0x00000000152e0000" filename = "" Region: id = 3195 start_va = 0x153e0000 end_va = 0x1541ffff entry_point = 0x0 region_type = private name = "private_0x00000000153e0000" filename = "" Region: id = 3196 start_va = 0x15420000 end_va = 0x1551ffff entry_point = 0x0 region_type = private name = "private_0x0000000015420000" filename = "" Region: id = 3197 start_va = 0x15520000 end_va = 0x1555ffff entry_point = 0x0 region_type = private name = "private_0x0000000015520000" filename = "" Region: id = 3198 start_va = 0x15560000 end_va = 0x1565ffff entry_point = 0x0 region_type = private name = "private_0x0000000015560000" filename = "" Region: id = 3199 start_va = 0x15660000 end_va = 0x1569ffff entry_point = 0x0 region_type = private name = "private_0x0000000015660000" filename = "" Region: id = 3200 start_va = 0x157e0000 end_va = 0x158dffff entry_point = 0x0 region_type = private name = "private_0x00000000157e0000" filename = "" Region: id = 3201 start_va = 0x158e0000 end_va = 0x1591ffff entry_point = 0x0 region_type = private name = "private_0x00000000158e0000" filename = "" Region: id = 3202 start_va = 0x15a60000 end_va = 0x15b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000015a60000" filename = "" Region: id = 3203 start_va = 0x7fc16000 end_va = 0x7fc18fff entry_point = 0x0 region_type = private name = "private_0x000000007fc16000" filename = "" Region: id = 3204 start_va = 0x7fc1c000 end_va = 0x7fc1efff entry_point = 0x0 region_type = private name = "private_0x000000007fc1c000" filename = "" Region: id = 3205 start_va = 0x7fc1f000 end_va = 0x7fc21fff entry_point = 0x0 region_type = private name = "private_0x000000007fc1f000" filename = "" Region: id = 3206 start_va = 0x7fc22000 end_va = 0x7fc24fff entry_point = 0x0 region_type = private name = "private_0x000000007fc22000" filename = "" Region: id = 3207 start_va = 0x7fc25000 end_va = 0x7fc27fff entry_point = 0x0 region_type = private name = "private_0x000000007fc25000" filename = "" Region: id = 3208 start_va = 0x7fc28000 end_va = 0x7fc2afff entry_point = 0x0 region_type = private name = "private_0x000000007fc28000" filename = "" Region: id = 3209 start_va = 0x7fc2b000 end_va = 0x7fc2dfff entry_point = 0x0 region_type = private name = "private_0x000000007fc2b000" filename = "" Region: id = 3210 start_va = 0x7fc2e000 end_va = 0x7fc30fff entry_point = 0x0 region_type = private name = "private_0x000000007fc2e000" filename = "" Region: id = 3211 start_va = 0x7fc31000 end_va = 0x7fc33fff entry_point = 0x0 region_type = private name = "private_0x000000007fc31000" filename = "" Region: id = 3212 start_va = 0x15b60000 end_va = 0x15b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000015b60000" filename = "" Region: id = 3213 start_va = 0x15e20000 end_va = 0x15f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000015e20000" filename = "" Region: id = 3214 start_va = 0x7fc10000 end_va = 0x7fc12fff entry_point = 0x0 region_type = private name = "private_0x000000007fc10000" filename = "" Region: id = 3215 start_va = 0x15f20000 end_va = 0x15f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000015f20000" filename = "" Region: id = 3216 start_va = 0x16960000 end_va = 0x16a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000016960000" filename = "" Region: id = 3217 start_va = 0x1af60000 end_va = 0x1bf2ffff entry_point = 0x0 region_type = private name = "private_0x000000001af60000" filename = "" Region: id = 3218 start_va = 0x7fc07000 end_va = 0x7fc09fff entry_point = 0x0 region_type = private name = "private_0x000000007fc07000" filename = "" Region: id = 3219 start_va = 0x16a60000 end_va = 0x16a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000016a60000" filename = "" Region: id = 3220 start_va = 0x16be0000 end_va = 0x16cdffff entry_point = 0x0 region_type = private name = "private_0x0000000016be0000" filename = "" Region: id = 3221 start_va = 0x7fbec000 end_va = 0x7fbeefff entry_point = 0x0 region_type = private name = "private_0x000000007fbec000" filename = "" Region: id = 3222 start_va = 0x16ce0000 end_va = 0x16d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000016ce0000" filename = "" Region: id = 3223 start_va = 0x16d20000 end_va = 0x16e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000016d20000" filename = "" Region: id = 3224 start_va = 0x7fbe9000 end_va = 0x7fbebfff entry_point = 0x0 region_type = private name = "private_0x000000007fbe9000" filename = "" Region: id = 3225 start_va = 0x16e20000 end_va = 0x16e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000016e20000" filename = "" Region: id = 3226 start_va = 0x16fa0000 end_va = 0x1709ffff entry_point = 0x0 region_type = private name = "private_0x0000000016fa0000" filename = "" Region: id = 3227 start_va = 0x7fbe6000 end_va = 0x7fbe8fff entry_point = 0x0 region_type = private name = "private_0x000000007fbe6000" filename = "" Region: id = 3228 start_va = 0x170a0000 end_va = 0x170dffff entry_point = 0x0 region_type = private name = "private_0x00000000170a0000" filename = "" Region: id = 3229 start_va = 0x170e0000 end_va = 0x171dffff entry_point = 0x0 region_type = private name = "private_0x00000000170e0000" filename = "" Region: id = 3230 start_va = 0x171e0000 end_va = 0x1721ffff entry_point = 0x0 region_type = private name = "private_0x00000000171e0000" filename = "" Region: id = 3231 start_va = 0x17220000 end_va = 0x1731ffff entry_point = 0x0 region_type = private name = "private_0x0000000017220000" filename = "" Region: id = 3232 start_va = 0x17320000 end_va = 0x1735ffff entry_point = 0x0 region_type = private name = "private_0x0000000017320000" filename = "" Region: id = 3233 start_va = 0x17360000 end_va = 0x1745ffff entry_point = 0x0 region_type = private name = "private_0x0000000017360000" filename = "" Region: id = 3234 start_va = 0x17460000 end_va = 0x1749ffff entry_point = 0x0 region_type = private name = "private_0x0000000017460000" filename = "" Region: id = 3235 start_va = 0x174a0000 end_va = 0x1759ffff entry_point = 0x0 region_type = private name = "private_0x00000000174a0000" filename = "" Region: id = 3236 start_va = 0x175a0000 end_va = 0x175dffff entry_point = 0x0 region_type = private name = "private_0x00000000175a0000" filename = "" Region: id = 3237 start_va = 0x17720000 end_va = 0x1781ffff entry_point = 0x0 region_type = private name = "private_0x0000000017720000" filename = "" Region: id = 3238 start_va = 0x7fbd4000 end_va = 0x7fbd6fff entry_point = 0x0 region_type = private name = "private_0x000000007fbd4000" filename = "" Region: id = 3239 start_va = 0x7fbd7000 end_va = 0x7fbd9fff entry_point = 0x0 region_type = private name = "private_0x000000007fbd7000" filename = "" Region: id = 3240 start_va = 0x7fbda000 end_va = 0x7fbdcfff entry_point = 0x0 region_type = private name = "private_0x000000007fbda000" filename = "" Region: id = 3241 start_va = 0x7fbdd000 end_va = 0x7fbdffff entry_point = 0x0 region_type = private name = "private_0x000000007fbdd000" filename = "" Region: id = 3242 start_va = 0x7fbe0000 end_va = 0x7fbe2fff entry_point = 0x0 region_type = private name = "private_0x000000007fbe0000" filename = "" Region: id = 3243 start_va = 0x17820000 end_va = 0x1785ffff entry_point = 0x0 region_type = private name = "private_0x0000000017820000" filename = "" Region: id = 3244 start_va = 0x179a0000 end_va = 0x17a9ffff entry_point = 0x0 region_type = private name = "private_0x00000000179a0000" filename = "" Region: id = 3245 start_va = 0x7fbcb000 end_va = 0x7fbcdfff entry_point = 0x0 region_type = private name = "private_0x000000007fbcb000" filename = "" Region: id = 3246 start_va = 0x17aa0000 end_va = 0x17adffff entry_point = 0x0 region_type = private name = "private_0x0000000017aa0000" filename = "" Region: id = 3247 start_va = 0x17d60000 end_va = 0x17e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000017d60000" filename = "" Region: id = 3248 start_va = 0x7fbc5000 end_va = 0x7fbc7fff entry_point = 0x0 region_type = private name = "private_0x000000007fbc5000" filename = "" Region: id = 3249 start_va = 0x17e60000 end_va = 0x17e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000017e60000" filename = "" Region: id = 3250 start_va = 0x17ea0000 end_va = 0x17f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000017ea0000" filename = "" Region: id = 3251 start_va = 0x7fbbc000 end_va = 0x7fbbefff entry_point = 0x0 region_type = private name = "private_0x000000007fbbc000" filename = "" Region: id = 3252 start_va = 0x3140000 end_va = 0x3140fff entry_point = 0x3140000 region_type = mapped_file name = "desktop.ini id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini id-br3n0g72wub8cejt.lyas") Region: id = 3253 start_va = 0x17fa0000 end_va = 0x17fdffff entry_point = 0x0 region_type = private name = "private_0x0000000017fa0000" filename = "" Region: id = 3254 start_va = 0x18120000 end_va = 0x1821ffff entry_point = 0x0 region_type = private name = "private_0x0000000018120000" filename = "" Region: id = 3255 start_va = 0x18220000 end_va = 0x1825ffff entry_point = 0x0 region_type = private name = "private_0x0000000018220000" filename = "" Region: id = 3256 start_va = 0x18260000 end_va = 0x1835ffff entry_point = 0x0 region_type = private name = "private_0x0000000018260000" filename = "" Region: id = 3257 start_va = 0x18360000 end_va = 0x1839ffff entry_point = 0x0 region_type = private name = "private_0x0000000018360000" filename = "" Region: id = 3258 start_va = 0x183a0000 end_va = 0x1849ffff entry_point = 0x0 region_type = private name = "private_0x00000000183a0000" filename = "" Region: id = 3259 start_va = 0x184a0000 end_va = 0x184dffff entry_point = 0x0 region_type = private name = "private_0x00000000184a0000" filename = "" Region: id = 3260 start_va = 0x184e0000 end_va = 0x185dffff entry_point = 0x0 region_type = private name = "private_0x00000000184e0000" filename = "" Region: id = 3261 start_va = 0x185e0000 end_va = 0x1861ffff entry_point = 0x0 region_type = private name = "private_0x00000000185e0000" filename = "" Region: id = 3262 start_va = 0x188a0000 end_va = 0x1899ffff entry_point = 0x0 region_type = private name = "private_0x00000000188a0000" filename = "" Region: id = 3263 start_va = 0x189a0000 end_va = 0x189dffff entry_point = 0x0 region_type = private name = "private_0x00000000189a0000" filename = "" Region: id = 3264 start_va = 0x18b20000 end_va = 0x18c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000018b20000" filename = "" Region: id = 3265 start_va = 0x18c20000 end_va = 0x18c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000018c20000" filename = "" Region: id = 3266 start_va = 0x18ee0000 end_va = 0x18fdffff entry_point = 0x0 region_type = private name = "private_0x0000000018ee0000" filename = "" Region: id = 3267 start_va = 0x18fe0000 end_va = 0x1901ffff entry_point = 0x0 region_type = private name = "private_0x0000000018fe0000" filename = "" Region: id = 3268 start_va = 0x19020000 end_va = 0x1911ffff entry_point = 0x0 region_type = private name = "private_0x0000000019020000" filename = "" Region: id = 3269 start_va = 0x19120000 end_va = 0x1915ffff entry_point = 0x0 region_type = private name = "private_0x0000000019120000" filename = "" Region: id = 3270 start_va = 0x192a0000 end_va = 0x192dffff entry_point = 0x0 region_type = private name = "private_0x00000000192a0000" filename = "" Region: id = 3271 start_va = 0x192e0000 end_va = 0x193dffff entry_point = 0x0 region_type = private name = "private_0x00000000192e0000" filename = "" Region: id = 3272 start_va = 0x19a20000 end_va = 0x19a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000019a20000" filename = "" Region: id = 3273 start_va = 0x19a60000 end_va = 0x19b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000019a60000" filename = "" Region: id = 3274 start_va = 0x19b60000 end_va = 0x19b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000019b60000" filename = "" Region: id = 3275 start_va = 0x19ba0000 end_va = 0x19c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000019ba0000" filename = "" Region: id = 3276 start_va = 0x19ca0000 end_va = 0x19cdffff entry_point = 0x0 region_type = private name = "private_0x0000000019ca0000" filename = "" Region: id = 3277 start_va = 0x19ce0000 end_va = 0x19ddffff entry_point = 0x0 region_type = private name = "private_0x0000000019ce0000" filename = "" Region: id = 3278 start_va = 0x19de0000 end_va = 0x19e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000019de0000" filename = "" Region: id = 3279 start_va = 0x19e20000 end_va = 0x19f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000019e20000" filename = "" Region: id = 3280 start_va = 0x7fb71000 end_va = 0x7fb73fff entry_point = 0x0 region_type = private name = "private_0x000000007fb71000" filename = "" Region: id = 3281 start_va = 0x7fb74000 end_va = 0x7fb76fff entry_point = 0x0 region_type = private name = "private_0x000000007fb74000" filename = "" Region: id = 3282 start_va = 0x7fb77000 end_va = 0x7fb79fff entry_point = 0x0 region_type = private name = "private_0x000000007fb77000" filename = "" Region: id = 3283 start_va = 0x7fb89000 end_va = 0x7fb8bfff entry_point = 0x0 region_type = private name = "private_0x000000007fb89000" filename = "" Region: id = 3284 start_va = 0x7fb8f000 end_va = 0x7fb91fff entry_point = 0x0 region_type = private name = "private_0x000000007fb8f000" filename = "" Region: id = 3285 start_va = 0x7fb92000 end_va = 0x7fb94fff entry_point = 0x0 region_type = private name = "private_0x000000007fb92000" filename = "" Region: id = 3286 start_va = 0x7fb9b000 end_va = 0x7fb9dfff entry_point = 0x0 region_type = private name = "private_0x000000007fb9b000" filename = "" Region: id = 3287 start_va = 0x7fba1000 end_va = 0x7fba3fff entry_point = 0x0 region_type = private name = "private_0x000000007fba1000" filename = "" Region: id = 3288 start_va = 0x7fbaa000 end_va = 0x7fbacfff entry_point = 0x0 region_type = private name = "private_0x000000007fbaa000" filename = "" Region: id = 3289 start_va = 0x7fbad000 end_va = 0x7fbaffff entry_point = 0x0 region_type = private name = "private_0x000000007fbad000" filename = "" Region: id = 3290 start_va = 0x7fbb0000 end_va = 0x7fbb2fff entry_point = 0x0 region_type = private name = "private_0x000000007fbb0000" filename = "" Region: id = 3291 start_va = 0x7fbb3000 end_va = 0x7fbb5fff entry_point = 0x0 region_type = private name = "private_0x000000007fbb3000" filename = "" Region: id = 3292 start_va = 0x7fbb9000 end_va = 0x7fbbbfff entry_point = 0x0 region_type = private name = "private_0x000000007fbb9000" filename = "" Region: id = 3293 start_va = 0x31d0000 end_va = 0x31fdfff entry_point = 0x31d0000 region_type = mapped_file name = "1494870c-9912-c184-4cc9-b401-a53f4d8de290.pdf id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\1494870c-9912-c184-4cc9-b401-a53f4d8de290.pdf id-br3n0g72wub8cejt.lyas") Region: id = 3294 start_va = 0x1a1a0000 end_va = 0x1a1dffff entry_point = 0x0 region_type = private name = "private_0x000000001a1a0000" filename = "" Region: id = 3295 start_va = 0x1a1e0000 end_va = 0x1a2dffff entry_point = 0x0 region_type = private name = "private_0x000000001a1e0000" filename = "" Region: id = 3296 start_va = 0x1a2e0000 end_va = 0x1a31ffff entry_point = 0x0 region_type = private name = "private_0x000000001a2e0000" filename = "" Region: id = 3297 start_va = 0x1a320000 end_va = 0x1a41ffff entry_point = 0x0 region_type = private name = "private_0x000000001a320000" filename = "" Region: id = 3298 start_va = 0x7fb65000 end_va = 0x7fb67fff entry_point = 0x0 region_type = private name = "private_0x000000007fb65000" filename = "" Region: id = 3299 start_va = 0x7fb6e000 end_va = 0x7fb70fff entry_point = 0x0 region_type = private name = "private_0x000000007fb6e000" filename = "" Region: id = 3300 start_va = 0x3140000 end_va = 0x3140fff entry_point = 0x3140000 region_type = mapped_file name = "desktop.ini id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini id-br3n0g72wub8cejt.lyas") Region: id = 3301 start_va = 0x4dc0000 end_va = 0x4dc4fff entry_point = 0x4dc0000 region_type = mapped_file name = "api-ms-win-core-file-l1-2-0.dll id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\api-ms-win-core-file-l1-2-0.dll id-br3n0g72wub8cejt.lyas") Region: id = 3302 start_va = 0x4dd0000 end_va = 0x4dd1fff entry_point = 0x4dd0000 region_type = mapped_file name = "enutxt.pdf id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\resource\\enutxt.pdf id-br3n0g72wub8cejt.lyas") Region: id = 3303 start_va = 0x1a560000 end_va = 0x1a59ffff entry_point = 0x0 region_type = private name = "private_0x000000001a560000" filename = "" Region: id = 3304 start_va = 0x1a5a0000 end_va = 0x1a69ffff entry_point = 0x0 region_type = private name = "private_0x000000001a5a0000" filename = "" Region: id = 3305 start_va = 0x1a7e0000 end_va = 0x1a81ffff entry_point = 0x0 region_type = private name = "private_0x000000001a7e0000" filename = "" Region: id = 3306 start_va = 0x1a820000 end_va = 0x1a91ffff entry_point = 0x0 region_type = private name = "private_0x000000001a820000" filename = "" Region: id = 3307 start_va = 0x7fb5c000 end_va = 0x7fb5efff entry_point = 0x0 region_type = private name = "private_0x000000007fb5c000" filename = "" Region: id = 3308 start_va = 0x7fb62000 end_va = 0x7fb64fff entry_point = 0x0 region_type = private name = "private_0x000000007fb62000" filename = "" Region: id = 3309 start_va = 0x4de0000 end_va = 0x4de0fff entry_point = 0x4de0000 region_type = mapped_file name = "accessible.tlb id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessible.tlb id-br3n0g72wub8cejt.lyas") Region: id = 3310 start_va = 0x1a920000 end_va = 0x1a95ffff entry_point = 0x1a920000 region_type = mapped_file name = "ose.exe id-br3n0g72wub8cejt.lyas" filename = "\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe id-br3n0g72wub8cejt.lyas") Region: id = 3311 start_va = 0x4de0000 end_va = 0x4de6fff entry_point = 0x4de0000 region_type = mapped_file name = "accessiblemarshal.dll id-br3n0g72wub8cejt.lyas" filename = "\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll id-br3n0g72wub8cejt.lyas") Thread: id = 1 os_tid = 0xfdc [0065.463] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74f40000 [0065.463] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0065.463] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualFree") returned 0x74f58c70 [0065.463] VirtualAlloc (lpAddress=0x0, dwSize=0x1800, flAllocationType=0x1000, flProtect=0x4) returned 0x3e0000 [0065.463] VirtualAlloc (lpAddress=0x0, dwSize=0x110e, flAllocationType=0x1000, flProtect=0x4) returned 0x3f0000 [0065.464] VirtualFree (lpAddress=0x3f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.464] VirtualAlloc (lpAddress=0x0, dwSize=0x90e, flAllocationType=0x1000, flProtect=0x4) returned 0x3f0000 [0065.465] VirtualFree (lpAddress=0x3f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.465] VirtualAlloc (lpAddress=0x0, dwSize=0xf0e, flAllocationType=0x1000, flProtect=0x4) returned 0x3f0000 [0065.465] VirtualFree (lpAddress=0x3f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.465] VirtualFree (lpAddress=0x3e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.466] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74f40000 [0065.466] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalFree") returned 0x74f63a70 [0065.466] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalMemoryStatus") returned 0x74f592d0 [0065.466] GetProcAddress (hModule=0x74f40000, lpProcName="MapViewOfFile") returned 0x74f58c10 [0065.466] GetProcAddress (hModule=0x74f40000, lpProcName="MoveFileW") returned 0x74f5a770 [0065.466] GetProcAddress (hModule=0x74f40000, lpProcName="MultiByteToWideChar") returned 0x74f52d60 [0065.466] GetProcAddress (hModule=0x74f40000, lpProcName="OpenProcess") returned 0x74f592b0 [0065.466] GetProcAddress (hModule=0x74f40000, lpProcName="Process32FirstW") returned 0x74f5ee30 [0065.466] GetProcAddress (hModule=0x74f40000, lpProcName="Process32NextW") returned 0x74f5c9b0 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="RtlZeroMemory") returned 0x7772d040 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="SetErrorMode") returned 0x74f58bf0 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="SetFileAttributesW") returned 0x74f66510 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="SetFilePointerEx") returned 0x74f66540 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalAlloc") returned 0x74f59600 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="TerminateProcess") returned 0x74f5fbc0 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="UnmapViewOfFile") returned 0x74f594b0 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="WriteFile") returned 0x74f66590 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcatA") returned 0x74f5efc0 [0065.467] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcatW") returned 0x74f7d320 [0065.468] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcmpW") returned 0x74f578d0 [0065.468] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcmpiA") returned 0x74f57610 [0065.468] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcmpiW") returned 0x74f57540 [0065.468] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcpyW") returned 0x74f7d410 [0065.468] GetProcAddress (hModule=0x74f40000, lpProcName="lstrlenA") returned 0x74f63a30 [0065.468] GetProcAddress (hModule=0x74f40000, lpProcName="lstrlenW") returned 0x74f52d80 [0065.468] GetProcAddress (hModule=0x74f40000, lpProcName="GetModuleFileNameA") returned 0x74f5a040 [0065.468] GetProcAddress (hModule=0x74f40000, lpProcName="GetLogicalDrives") returned 0x74f5ec30 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="GetLastError") returned 0x74f52db0 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="GetFileAttributesW") returned 0x74f66340 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="GetEnvironmentVariableA") returned 0x74f5a390 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="GetCurrentProcessId") returned 0x74f51d90 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="FindNextFileW") returned 0x74f66290 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="FindFirstFileW") returned 0x74f66250 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="FindClose") returned 0x74f661d0 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="CreateToolhelp32Snapshot") returned 0x74f67510 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="CreateThread") returned 0x74f59700 [0065.469] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileW") returned 0x74f66180 [0065.470] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileMappingA") returned 0x74f57710 [0065.470] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileA") returned 0x74f66170 [0065.470] GetProcAddress (hModule=0x74f40000, lpProcName="CopyFileA") returned 0x74f5c510 [0065.470] GetProcAddress (hModule=0x74f40000, lpProcName="Sleep") returned 0x74f577b0 [0065.470] GetProcAddress (hModule=0x74f40000, lpProcName="CloseHandle") returned 0x74f65f20 [0065.470] GetModuleHandleA (lpModuleName="shell32.dll") returned 0x75310000 [0065.470] GetProcAddress (hModule=0x75310000, lpProcName="SHChangeNotify") returned 0x754426d0 [0065.470] GetProcAddress (hModule=0x75310000, lpProcName="ShellExecuteA") returned 0x75572110 [0065.470] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x77550000 [0065.470] GetProcAddress (hModule=0x77550000, lpProcName="RegOpenKeyExA") returned 0x7756f000 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="RegCloseKey") returned 0x7756efa0 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="OpenProcessToken") returned 0x7756ee90 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="LookupPrivilegeValueA") returned 0x77583e70 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="CryptReleaseContext") returned 0x77570ad0 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="CryptImportKey") returned 0x7756f890 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenKey") returned 0x77573fd0 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="CryptExportKey") returned 0x7756f8f0 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="CryptEncrypt") returned 0x77585bd0 [0065.471] GetProcAddress (hModule=0x77550000, lpProcName="CryptDestroyKey") returned 0x7756fc10 [0065.472] GetProcAddress (hModule=0x77550000, lpProcName="CryptDecrypt") returned 0x775710f0 [0065.472] GetProcAddress (hModule=0x77550000, lpProcName="CryptAcquireContextA") returned 0x77570c00 [0065.472] GetProcAddress (hModule=0x77550000, lpProcName="AdjustTokenPrivileges") returned 0x77570680 [0065.472] GetProcAddress (hModule=0x77550000, lpProcName="RegQueryValueExA") returned 0x7756ee40 [0065.472] GetProcAddress (hModule=0x77550000, lpProcName="RegSetValueExA") returned 0x77570750 [0065.472] GetProcAddress (hModule=0x77550000, lpProcName="RegCreateKeyA") returned 0x77573150 [0065.472] GetModuleHandleA (lpModuleName="mpr.dll") returned 0x745f0000 [0065.472] GetProcAddress (hModule=0x745f0000, lpProcName="WNetOpenEnumA") returned 0x745fd6c0 [0065.472] GetProcAddress (hModule=0x745f0000, lpProcName="WNetEnumResourceA") returned 0x745fcc80 [0065.472] GetProcAddress (hModule=0x745f0000, lpProcName="WNetCloseEnum") returned 0x745f3710 [0065.473] CryptAcquireContextA (in: phProv=0x19ff78, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19ff78*=0x58f6e8) returned 1 [0066.234] CryptImportKey (in: hProv=0x58f6e8, pbData=0x401037, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x0, phKey=0x19ff74 | out: phKey=0x19ff74*=0x5956e8) returned 1 [0066.423] CryptDecrypt (in: hKey=0x5956e8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x403000, pdwDataLen=0x19ff7c | out: pbData=0x403000, pdwDataLen=0x19ff7c) returned 1 [0066.483] CryptDestroyKey (hKey=0x5956e8) returned 1 [0066.483] CryptReleaseContext (hProv=0x58f6e8, dwFlags=0x0) returned 1 [0066.483] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x401c6e, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0066.484] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x59b7c8, nSize=0x8000 | out: lpFilename="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CRYPT.EXE" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\crypt.exe")) returned 0x27 [0066.485] lstrcmpiA (lpString1="C:\\windows\\searchfiles.exe", lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CRYPT.EXE") returned 1 [0066.487] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", ulOptions=0x0, samDesired=0xf013f, phkResult=0x19ff64 | out: phkResult=0x19ff64*=0x1b4) returned 0x0 [0066.487] lstrlenA (lpString="\"c:\\How To Restore Files.hta\"") returned 29 [0066.487] RegSetValueExA (in: hKey=0x1b4, lpValueName="unlock", Reserved=0x0, dwType=0x1, lpData="\"c:\\How To Restore Files.hta\"", cbData=0x1d | out: lpData="\"c:\\How To Restore Files.hta\"") returned 0x0 [0066.488] lstrlenA (lpString="C:\\windows\\searchfiles.exe") returned 26 [0066.488] RegSetValueExA (in: hKey=0x1b4, lpValueName="searchfiles", Reserved=0x0, dwType=0x1, lpData="C:\\windows\\searchfiles.exe", cbData=0x1a | out: lpData="C:\\windows\\searchfiles.exe") returned 0x0 [0066.488] RegCloseKey (hKey=0x1b4) returned 0x0 [0066.489] CopyFileA (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CRYPT.EXE" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\crypt.exe"), lpNewFileName="C:\\windows\\searchfiles.exe" (normalized: "c:\\windows\\searchfiles.exe"), bFailIfExists=0) returned 1 [0066.780] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DateTime\\", ulOptions=0x0, samDesired=0xf013f, phkResult=0x19ff64 | out: phkResult=0x19ff64*=0x1b4) returned 0x0 [0066.780] RegQueryValueExA (in: hKey=0x1b4, lpValueName="orsa", lpReserved=0x0, lpType=0x0, lpData=0x4041a0, lpcbData=0x19ff54*=0x114 | out: lpType=0x0, lpData=0x4041a0, lpcbData=0x19ff54*=0x114) returned 0x2 [0066.780] CryptAcquireContextA (in: phProv=0x19ff5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19ff5c*=0x58f6e8) returned 1 [0066.780] CryptGenKey (in: hProv=0x58f6e8, Algid=0x1, dwFlags=0x8000001, phKey=0x19ff68 | out: phKey=0x19ff68*=0x595468) returned 1 [0069.259] CryptExportKey (in: hKey=0x595468, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x59b7c8, pdwDataLen=0x19ff58 | out: pbData=0x59b7c8*, pdwDataLen=0x19ff58*=0x494) returned 1 [0069.259] CryptExportKey (in: hKey=0x595468, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x4041a0, pdwDataLen=0x19ff58 | out: pbData=0x4041a0*, pdwDataLen=0x19ff58*=0x114) returned 1 [0069.259] CryptDestroyKey (hKey=0x595468) returned 1 [0069.259] CryptReleaseContext (hProv=0x58f6e8, dwFlags=0x0) returned 1 [0069.259] CryptAcquireContextA (in: phProv=0x19ff5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19ff5c*=0x58f6e8) returned 1 [0069.260] CryptImportKey (in: hProv=0x58f6e8, pbData=0x403b83, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x40364b | out: phKey=0x40364b*=0x5951a8) returned 1 [0069.260] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x403ca0*, pdwDataLen=0x19ff58*=0xf4, dwBufLen=0x500 | out: pbData=0x403ca0*, pdwDataLen=0x19ff58*=0x100) returned 1 [0069.345] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x403da0*, pdwDataLen=0x19ff58*=0xf4, dwBufLen=0x500 | out: pbData=0x403da0*, pdwDataLen=0x19ff58*=0x100) returned 1 [0069.345] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x403ea0*, pdwDataLen=0x19ff58*=0xf4, dwBufLen=0x500 | out: pbData=0x403ea0*, pdwDataLen=0x19ff58*=0x100) returned 1 [0069.346] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x403fa0*, pdwDataLen=0x19ff58*=0xf4, dwBufLen=0x500 | out: pbData=0x403fa0*, pdwDataLen=0x19ff58*=0x100) returned 1 [0069.346] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4040a0*, pdwDataLen=0x19ff58*=0xc4, dwBufLen=0x500 | out: pbData=0x4040a0*, pdwDataLen=0x19ff58*=0x100) returned 1 [0069.347] CryptDestroyKey (hKey=0x5951a8) returned 1 [0069.347] CryptReleaseContext (hProv=0x58f6e8, dwFlags=0x0) returned 1 [0069.347] RegSetValueExA (in: hKey=0x1b4, lpValueName="orsa", Reserved=0x0, dwType=0x3, lpData=0x4041a0*, cbData=0x114 | out: lpData=0x4041a0*) returned 0x0 [0069.347] RegSetValueExA (in: hKey=0x1b4, lpValueName="rsa", Reserved=0x0, dwType=0x3, lpData=0x403ca0*, cbData=0x500 | out: lpData=0x403ca0*) returned 0x0 [0069.348] RegCloseKey (hKey=0x1b4) returned 0x0 [0069.348] CryptAcquireContextA (in: phProv=0x19ff5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19ff5c*=0x58f6e8) returned 1 [0069.349] CryptImportKey (in: hProv=0x58f6e8, pbData=0x4041a0, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x40364b | out: phKey=0x40364b*=0x5951a8) returned 1 [0069.349] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x403160, cbMultiByte=-1, lpWideCharStr=0x403657, cchWideChar=16 | out: lpWideCharStr="Br3n0G72wUb8CejT.LyaS") returned 0 [0069.349] lstrcatA (in: lpString1="", lpString2=".LyaS" | out: lpString1=".LyaS") returned=".LyaS" [0069.349] lstrcatA (in: lpString1=".LyaS", lpString2="\\shell\\open\\command" | out: lpString1=".LyaS\\shell\\open\\command") returned=".LyaS\\shell\\open\\command" [0069.349] RegCreateKeyA (in: hKey=0x80000000, lpSubKey=".LyaS\\shell\\open\\command", phkResult=0x19ff64 | out: phkResult=0x19ff64*=0x21a) returned 0x0 [0069.353] lstrcatA (in: lpString1="", lpString2="C:\\Windows\\System32\\mshta.exe " | out: lpString1="C:\\Windows\\System32\\mshta.exe ") returned="C:\\Windows\\System32\\mshta.exe " [0069.353] lstrcatA (in: lpString1="C:\\Windows\\System32\\mshta.exe ", lpString2="\"c:\\How To Restore Files.hta\"" | out: lpString1="C:\\Windows\\System32\\mshta.exe \"c:\\How To Restore Files.hta\"") returned="C:\\Windows\\System32\\mshta.exe \"c:\\How To Restore Files.hta\"" [0069.353] lstrlenA (lpString="C:\\Windows\\System32\\mshta.exe \"c:\\How To Restore Files.hta\"") returned 59 [0069.353] RegSetValueExA (in: hKey=0x21a, lpValueName="", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\mshta.exe \"c:\\How To Restore Files.hta\"", cbData=0x3b | out: lpData="C:\\Windows\\System32\\mshta.exe \"c:\\How To Restore Files.hta\"") returned 0x0 [0069.353] RegCloseKey (hKey=0x21a) returned 0x0 [0069.353] SHChangeNotify (wEventId=134217728, uFlags=0x0, dwItem1=0x0, dwItem2=0x0) [0072.231] GetEnvironmentVariableA (in: lpName="ComSpec", lpBuffer=0x59b7c8, nSize=0x5dc | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0072.231] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Windows\\system32\\cmd.exe", lpParameters="/c vssadmin delete shadows /all", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0078.023] SetErrorMode (uMode=0x1) returned 0x0 [0078.024] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x19ff38 | out: TokenHandle=0x19ff38*=0x30c) returned 1 [0078.024] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeBackupPrivilege", lpLuid=0x19ff2c | out: lpLuid=0x19ff2c*(LowPart=0x11, HighPart=0)) returned 1 [0078.029] AdjustTokenPrivileges (in: TokenHandle=0x30c, DisableAllPrivileges=0, NewState=0x19ff28*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0078.029] CloseHandle (hObject=0x30c) returned 1 [0078.029] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x19ff38 | out: TokenHandle=0x19ff38*=0x30c) returned 1 [0078.029] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeRestorePrivilege", lpLuid=0x19ff2c | out: lpLuid=0x19ff2c*(LowPart=0x12, HighPart=0)) returned 1 [0078.030] AdjustTokenPrivileges (in: TokenHandle=0x30c, DisableAllPrivileges=0, NewState=0x19ff28*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0078.030] CloseHandle (hObject=0x30c) returned 1 [0078.030] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x401131, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0078.031] CloseHandle (hObject=0x30c) returned 1 [0078.031] GetLogicalDrives () returned 0x4 [0078.034] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0xffff, lpStartAddress=0x4014b8, lpParameter=0x5ded18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0078.035] CloseHandle (hObject=0x30c) returned 1 [0078.035] Sleep (dwMilliseconds=0x7530) [0088.429] Sleep (dwMilliseconds=0x7530) [0099.210] Sleep (dwMilliseconds=0x7530) Thread: id = 2 os_tid = 0xfe8 Thread: id = 3 os_tid = 0xc14 [0066.762] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x54fd40 | out: TokenHandle=0x54fd40*=0x1dc) returned 1 [0066.762] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x54fd34 | out: lpLuid=0x54fd34*(LowPart=0x14, HighPart=0)) returned 1 [0066.766] AdjustTokenPrivileges (in: TokenHandle=0x1dc, DisableAllPrivileges=0, NewState=0x54fd30*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0066.766] CloseHandle (hObject=0x1dc) returned 1 [0066.766] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1dc [0066.773] Process32FirstW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.773] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0066.773] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0066.774] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0066.774] lstrlenW (lpString="[System process]") returned 16 [0066.774] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0066.774] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0066.775] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0066.775] lstrlenW (lpString="[System process]") returned 16 [0066.775] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0066.775] lstrlenW (lpString="System") returned 6 [0066.775] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0066.775] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0066.811] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0066.811] lstrlenW (lpString="[System process]") returned 16 [0066.811] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0066.811] lstrlenW (lpString="System") returned 6 [0066.811] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0066.811] lstrlenW (lpString="smss.exe") returned 8 [0066.811] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0066.811] lstrlenW (lpString="dllhost.exe") returned 11 [0066.811] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0066.811] lstrlenW (lpString="svchost.exe") returned 11 [0066.811] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0066.811] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0066.812] lstrlenW (lpString="[System process]") returned 16 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0066.812] lstrlenW (lpString="System") returned 6 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0066.812] lstrlenW (lpString="smss.exe") returned 8 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0066.812] lstrlenW (lpString="dllhost.exe") returned 11 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0066.812] lstrlenW (lpString="svchost.exe") returned 11 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0066.812] lstrlenW (lpString="csrss.exe") returned 9 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0066.812] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0066.812] lstrlenW (lpString="WebServices.exe") returned 15 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0066.812] lstrlenW (lpString="cmd.exe") returned 7 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0066.812] lstrlenW (lpString="mstsc.exe") returned 9 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0066.812] lstrlenW (lpString="find.exe") returned 8 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0066.812] lstrlenW (lpString="conhost.exe") returned 11 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0066.812] lstrlenW (lpString="explorer.exe") returned 12 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0066.812] lstrlenW (lpString="ctfmon.exe") returned 10 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0066.812] lstrlenW (lpString="lsass.exe") returned 9 [0066.812] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0066.812] lstrlenW (lpString="services.exe") returned 12 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0066.813] lstrlenW (lpString="tasklist.exe") returned 12 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0066.813] lstrlenW (lpString="winlogon.exe") returned 12 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0066.813] lstrlenW (lpString="wmiprvse.exe") returned 12 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0066.813] lstrlenW (lpString="msdts.exe") returned 9 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0066.813] lstrlenW (lpString="bfsvc.exe") returned 9 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0066.813] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0066.813] lstrlenW (lpString="alg.exe") returned 7 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0066.813] lstrlenW (lpString="dwm.exe") returned 7 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0066.813] lstrlenW (lpString="issch.exe") returned 9 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0066.813] lstrlenW (lpString="rundll32.exe") returned 12 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0066.813] lstrlenW (lpString="spoolsv.exe") returned 11 [0066.813] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0066.813] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0066.813] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0066.814] lstrlenW (lpString="[System process]") returned 16 [0066.814] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0066.814] lstrlenW (lpString="System") returned 6 [0066.814] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0066.814] lstrlenW (lpString="smss.exe") returned 8 [0066.814] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0066.814] lstrlenW (lpString="dllhost.exe") returned 11 [0066.814] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0066.814] lstrlenW (lpString="svchost.exe") returned 11 [0066.814] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0066.814] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0066.814] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0066.814] lstrlenW (lpString="[System process]") returned 16 [0066.814] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0066.814] lstrlenW (lpString="System") returned 6 [0066.814] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0066.814] lstrlenW (lpString="smss.exe") returned 8 [0066.814] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0066.814] lstrlenW (lpString="dllhost.exe") returned 11 [0066.814] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0066.814] lstrlenW (lpString="svchost.exe") returned 11 [0066.814] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0066.814] lstrlenW (lpString="csrss.exe") returned 9 [0066.814] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0066.814] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0066.815] lstrlenW (lpString="WebServices.exe") returned 15 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0066.815] lstrlenW (lpString="cmd.exe") returned 7 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0066.815] lstrlenW (lpString="mstsc.exe") returned 9 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0066.815] lstrlenW (lpString="find.exe") returned 8 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0066.815] lstrlenW (lpString="conhost.exe") returned 11 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0066.815] lstrlenW (lpString="explorer.exe") returned 12 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0066.815] lstrlenW (lpString="ctfmon.exe") returned 10 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0066.815] lstrlenW (lpString="lsass.exe") returned 9 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0066.815] lstrlenW (lpString="services.exe") returned 12 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0066.815] lstrlenW (lpString="tasklist.exe") returned 12 [0066.815] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0066.815] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0066.815] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0066.815] lstrlenW (lpString="[System process]") returned 16 [0066.815] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0066.816] lstrlenW (lpString="System") returned 6 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0066.816] lstrlenW (lpString="smss.exe") returned 8 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0066.816] lstrlenW (lpString="dllhost.exe") returned 11 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0066.816] lstrlenW (lpString="svchost.exe") returned 11 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0066.816] lstrlenW (lpString="csrss.exe") returned 9 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0066.816] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0066.816] lstrlenW (lpString="WebServices.exe") returned 15 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0066.816] lstrlenW (lpString="cmd.exe") returned 7 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0066.816] lstrlenW (lpString="mstsc.exe") returned 9 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0066.816] lstrlenW (lpString="find.exe") returned 8 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0066.816] lstrlenW (lpString="conhost.exe") returned 11 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0066.816] lstrlenW (lpString="explorer.exe") returned 12 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0066.816] lstrlenW (lpString="ctfmon.exe") returned 10 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0066.816] lstrlenW (lpString="lsass.exe") returned 9 [0066.816] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0066.816] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0066.817] lstrlenW (lpString="[System process]") returned 16 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0066.817] lstrlenW (lpString="System") returned 6 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0066.817] lstrlenW (lpString="smss.exe") returned 8 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0066.817] lstrlenW (lpString="dllhost.exe") returned 11 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0066.817] lstrlenW (lpString="svchost.exe") returned 11 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0066.817] lstrlenW (lpString="csrss.exe") returned 9 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0066.817] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0066.817] lstrlenW (lpString="WebServices.exe") returned 15 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0066.817] lstrlenW (lpString="cmd.exe") returned 7 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0066.817] lstrlenW (lpString="mstsc.exe") returned 9 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0066.817] lstrlenW (lpString="find.exe") returned 8 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0066.817] lstrlenW (lpString="conhost.exe") returned 11 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0066.817] lstrlenW (lpString="explorer.exe") returned 12 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0066.817] lstrlenW (lpString="ctfmon.exe") returned 10 [0066.817] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0066.817] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.818] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.818] lstrlenW (lpString="[System process]") returned 16 [0066.818] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.818] lstrlenW (lpString="System") returned 6 [0066.818] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.818] lstrlenW (lpString="smss.exe") returned 8 [0066.818] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.818] lstrlenW (lpString="dllhost.exe") returned 11 [0066.818] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.818] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.819] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.819] lstrlenW (lpString="[System process]") returned 16 [0066.819] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.819] lstrlenW (lpString="System") returned 6 [0066.819] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.819] lstrlenW (lpString="smss.exe") returned 8 [0066.819] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.819] lstrlenW (lpString="dllhost.exe") returned 11 [0066.819] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.819] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0066.820] lstrlenW (lpString="[System process]") returned 16 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0066.820] lstrlenW (lpString="System") returned 6 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0066.820] lstrlenW (lpString="smss.exe") returned 8 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0066.820] lstrlenW (lpString="dllhost.exe") returned 11 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0066.820] lstrlenW (lpString="svchost.exe") returned 11 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0066.820] lstrlenW (lpString="csrss.exe") returned 9 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0066.820] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0066.820] lstrlenW (lpString="WebServices.exe") returned 15 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0066.820] lstrlenW (lpString="cmd.exe") returned 7 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0066.820] lstrlenW (lpString="mstsc.exe") returned 9 [0066.820] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0066.821] lstrlenW (lpString="find.exe") returned 8 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0066.821] lstrlenW (lpString="conhost.exe") returned 11 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0066.821] lstrlenW (lpString="explorer.exe") returned 12 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0066.821] lstrlenW (lpString="ctfmon.exe") returned 10 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0066.821] lstrlenW (lpString="lsass.exe") returned 9 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0066.821] lstrlenW (lpString="services.exe") returned 12 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0066.821] lstrlenW (lpString="tasklist.exe") returned 12 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0066.821] lstrlenW (lpString="winlogon.exe") returned 12 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0066.821] lstrlenW (lpString="wmiprvse.exe") returned 12 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0066.821] lstrlenW (lpString="msdts.exe") returned 9 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0066.821] lstrlenW (lpString="bfsvc.exe") returned 9 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0066.821] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0066.821] lstrlenW (lpString="alg.exe") returned 7 [0066.821] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0066.821] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.824] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.824] lstrlenW (lpString="[System process]") returned 16 [0066.824] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.825] lstrlenW (lpString="System") returned 6 [0066.825] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.825] lstrlenW (lpString="smss.exe") returned 8 [0066.825] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.825] lstrlenW (lpString="dllhost.exe") returned 11 [0066.825] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.825] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.825] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.825] lstrlenW (lpString="[System process]") returned 16 [0066.826] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.826] lstrlenW (lpString="System") returned 6 [0066.826] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.826] lstrlenW (lpString="smss.exe") returned 8 [0066.826] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.826] lstrlenW (lpString="dllhost.exe") returned 11 [0066.826] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.826] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.826] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.826] lstrlenW (lpString="[System process]") returned 16 [0066.827] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.827] lstrlenW (lpString="System") returned 6 [0066.827] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.827] lstrlenW (lpString="smss.exe") returned 8 [0066.827] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.827] lstrlenW (lpString="dllhost.exe") returned 11 [0066.827] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.827] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.827] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.827] lstrlenW (lpString="[System process]") returned 16 [0066.828] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.828] lstrlenW (lpString="System") returned 6 [0066.828] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.828] lstrlenW (lpString="smss.exe") returned 8 [0066.828] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.828] lstrlenW (lpString="dllhost.exe") returned 11 [0066.828] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.828] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.828] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.828] lstrlenW (lpString="[System process]") returned 16 [0066.828] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.829] lstrlenW (lpString="System") returned 6 [0066.829] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.829] lstrlenW (lpString="smss.exe") returned 8 [0066.829] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.829] lstrlenW (lpString="dllhost.exe") returned 11 [0066.829] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.829] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.829] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.829] lstrlenW (lpString="[System process]") returned 16 [0066.829] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.829] lstrlenW (lpString="System") returned 6 [0066.830] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.830] lstrlenW (lpString="smss.exe") returned 8 [0066.830] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.830] lstrlenW (lpString="dllhost.exe") returned 11 [0066.830] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.830] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0066.830] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0066.830] lstrlenW (lpString="[System process]") returned 16 [0066.830] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0066.830] lstrlenW (lpString="System") returned 6 [0066.830] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0066.831] lstrlenW (lpString="smss.exe") returned 8 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0066.831] lstrlenW (lpString="dllhost.exe") returned 11 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0066.831] lstrlenW (lpString="svchost.exe") returned 11 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0066.831] lstrlenW (lpString="csrss.exe") returned 9 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0066.831] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0066.831] lstrlenW (lpString="WebServices.exe") returned 15 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0066.831] lstrlenW (lpString="cmd.exe") returned 7 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0066.831] lstrlenW (lpString="mstsc.exe") returned 9 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0066.831] lstrlenW (lpString="find.exe") returned 8 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0066.831] lstrlenW (lpString="conhost.exe") returned 11 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0066.831] lstrlenW (lpString="explorer.exe") returned 12 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0066.831] lstrlenW (lpString="ctfmon.exe") returned 10 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0066.831] lstrlenW (lpString="lsass.exe") returned 9 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0066.831] lstrlenW (lpString="services.exe") returned 12 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0066.831] lstrlenW (lpString="tasklist.exe") returned 12 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0066.831] lstrlenW (lpString="winlogon.exe") returned 12 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0066.831] lstrlenW (lpString="wmiprvse.exe") returned 12 [0066.831] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0066.831] lstrlenW (lpString="msdts.exe") returned 9 [0066.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0066.832] lstrlenW (lpString="bfsvc.exe") returned 9 [0066.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0066.832] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0066.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0066.832] lstrlenW (lpString="alg.exe") returned 7 [0066.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0066.832] lstrlenW (lpString="dwm.exe") returned 7 [0066.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0066.832] lstrlenW (lpString="issch.exe") returned 9 [0066.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0066.832] lstrlenW (lpString="rundll32.exe") returned 12 [0066.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0066.832] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.833] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.833] lstrlenW (lpString="[System process]") returned 16 [0066.833] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.833] lstrlenW (lpString="System") returned 6 [0066.833] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.833] lstrlenW (lpString="smss.exe") returned 8 [0066.833] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.833] lstrlenW (lpString="dllhost.exe") returned 11 [0066.833] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.833] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.834] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.834] lstrlenW (lpString="[System process]") returned 16 [0066.834] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.834] lstrlenW (lpString="System") returned 6 [0066.834] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.834] lstrlenW (lpString="smss.exe") returned 8 [0066.834] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.834] lstrlenW (lpString="dllhost.exe") returned 11 [0066.834] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.834] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0066.835] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="[System process]") returned 1 [0066.835] lstrlenW (lpString="[System process]") returned 16 [0066.835] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="System") returned -1 [0066.835] lstrlenW (lpString="System") returned 6 [0066.835] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="smss.exe") returned -1 [0066.835] lstrlenW (lpString="smss.exe") returned 8 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="dllhost.exe") returned 1 [0066.836] lstrlenW (lpString="dllhost.exe") returned 11 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="svchost.exe") returned -1 [0066.836] lstrlenW (lpString="svchost.exe") returned 11 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="csrss.exe") returned 1 [0066.836] lstrlenW (lpString="csrss.exe") returned 9 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0066.836] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="WebServices.exe") returned -1 [0066.836] lstrlenW (lpString="WebServices.exe") returned 15 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="cmd.exe") returned 1 [0066.836] lstrlenW (lpString="cmd.exe") returned 7 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="mstsc.exe") returned 1 [0066.836] lstrlenW (lpString="mstsc.exe") returned 9 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="find.exe") returned 1 [0066.836] lstrlenW (lpString="find.exe") returned 8 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="conhost.exe") returned 1 [0066.836] lstrlenW (lpString="conhost.exe") returned 11 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="explorer.exe") returned 1 [0066.836] lstrlenW (lpString="explorer.exe") returned 12 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="ctfmon.exe") returned 1 [0066.836] lstrlenW (lpString="ctfmon.exe") returned 10 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="lsass.exe") returned 1 [0066.836] lstrlenW (lpString="lsass.exe") returned 9 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="services.exe") returned -1 [0066.836] lstrlenW (lpString="services.exe") returned 12 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="tasklist.exe") returned -1 [0066.836] lstrlenW (lpString="tasklist.exe") returned 12 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="winlogon.exe") returned -1 [0066.836] lstrlenW (lpString="winlogon.exe") returned 12 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="wmiprvse.exe") returned -1 [0066.836] lstrlenW (lpString="wmiprvse.exe") returned 12 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="msdts.exe") returned 1 [0066.836] lstrlenW (lpString="msdts.exe") returned 9 [0066.836] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="bfsvc.exe") returned 1 [0066.836] lstrlenW (lpString="bfsvc.exe") returned 9 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0066.837] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="alg.exe") returned 1 [0066.837] lstrlenW (lpString="alg.exe") returned 7 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="dwm.exe") returned 1 [0066.837] lstrlenW (lpString="dwm.exe") returned 7 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="issch.exe") returned 1 [0066.837] lstrlenW (lpString="issch.exe") returned 9 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="rundll32.exe") returned -1 [0066.837] lstrlenW (lpString="rundll32.exe") returned 12 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="spoolsv.exe") returned -1 [0066.837] lstrlenW (lpString="spoolsv.exe") returned 11 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="wininit.exe") returned -1 [0066.837] lstrlenW (lpString="wininit.exe") returned 11 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="wmiprvse.exe") returned -1 [0066.837] lstrlenW (lpString="wmiprvse.exe") returned 12 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="wudfhost.exe") returned -1 [0066.837] lstrlenW (lpString="wudfhost.exe") returned 12 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="taskmgr.exe") returned -1 [0066.837] lstrlenW (lpString="taskmgr.exe") returned 11 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="rdpclip.exe") returned -1 [0066.837] lstrlenW (lpString="rdpclip.exe") returned 11 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="logonui.exe") returned 1 [0066.837] lstrlenW (lpString="logonui.exe") returned 11 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="lsm.exe") returned 1 [0066.837] lstrlenW (lpString="lsm.exe") returned 7 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="searchui.exe") returned -1 [0066.837] lstrlenW (lpString="searchui.exe") returned 12 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="searchindexer.exe") returned -1 [0066.837] lstrlenW (lpString="searchindexer.exe") returned 17 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="processhacker.exe") returned -1 [0066.837] lstrlenW (lpString="processhacker.exe") returned 17 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="getpassvord_x64.exe") returned 1 [0066.837] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0066.837] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="64.exe") returned 1 [0066.837] lstrlenW (lpString="64.exe") returned 6 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="32.exe") returned 1 [0066.838] lstrlenW (lpString="32.exe") returned 6 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="mshta.exe") returned 1 [0066.838] lstrlenW (lpString="mshta.exe") returned 9 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="fontdrvhost.exe") returned 1 [0066.838] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="sihost.exe") returned -1 [0066.838] lstrlenW (lpString="sihost.exe") returned 10 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="pscan24.exe") returned -1 [0066.838] lstrlenW (lpString="pscan24.exe") returned 11 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="advanced_port_scanner.exe") returned 1 [0066.838] lstrlenW (lpString="advanced_port_scanner.exe") returned 25 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="advanced_port_scanner_console.exe") returned 1 [0066.838] lstrlenW (lpString="advanced_port_scanner_console.exe") returned 33 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="pscan24.tmp") returned -1 [0066.838] lstrlenW (lpString="pscan24.tmp") returned 11 [0066.838] lstrcmpiW (lpString1="OfficeClickToRun.exe", lpString2="dfssvc.exe") returned 1 [0066.838] lstrlenW (lpString="dfssvc.exe") returned 10 [0066.838] GetCurrentProcessId () returned 0xfd8 [0066.838] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x4c4) returned 0x1b8 [0066.838] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.881] CloseHandle (hObject=0x1b8) returned 1 [0066.881] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.882] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0066.882] lstrlenW (lpString="[System process]") returned 16 [0066.882] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0066.882] lstrlenW (lpString="System") returned 6 [0066.882] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0066.882] lstrlenW (lpString="smss.exe") returned 8 [0066.882] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0066.882] lstrlenW (lpString="dllhost.exe") returned 11 [0066.882] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0066.882] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0066.883] lstrlenW (lpString="[System process]") returned 16 [0066.883] lstrlenW (lpString="System") returned 6 [0066.883] lstrlenW (lpString="smss.exe") returned 8 [0066.883] lstrlenW (lpString="dllhost.exe") returned 11 [0066.883] lstrlenW (lpString="svchost.exe") returned 11 [0066.883] lstrlenW (lpString="csrss.exe") returned 9 [0066.883] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0066.883] lstrlenW (lpString="WebServices.exe") returned 15 [0066.883] lstrlenW (lpString="cmd.exe") returned 7 [0066.883] lstrlenW (lpString="mstsc.exe") returned 9 [0066.883] lstrlenW (lpString="find.exe") returned 8 [0066.883] lstrlenW (lpString="conhost.exe") returned 11 [0066.883] lstrlenW (lpString="explorer.exe") returned 12 [0066.883] lstrlenW (lpString="ctfmon.exe") returned 10 [0066.883] lstrlenW (lpString="lsass.exe") returned 9 [0066.883] lstrlenW (lpString="services.exe") returned 12 [0066.883] lstrlenW (lpString="tasklist.exe") returned 12 [0066.883] lstrlenW (lpString="winlogon.exe") returned 12 [0066.883] lstrlenW (lpString="wmiprvse.exe") returned 12 [0066.883] lstrlenW (lpString="msdts.exe") returned 9 [0066.883] lstrlenW (lpString="bfsvc.exe") returned 9 [0066.883] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0066.884] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0066.884] GetCurrentProcessId () returned 0xfd8 [0066.884] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x77c) returned 0x1b8 [0066.884] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.947] CloseHandle (hObject=0x1b8) returned 1 [0066.947] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0066.947] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0066.949] GetCurrentProcessId () returned 0xfd8 [0066.949] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x7f8) returned 0x1b8 [0066.949] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.950] CloseHandle (hObject=0x1b8) returned 1 [0066.950] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0066.951] GetCurrentProcessId () returned 0xfd8 [0066.951] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x980) returned 0x1b8 [0066.951] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.965] CloseHandle (hObject=0x1b8) returned 1 [0066.965] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0066.966] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0066.967] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x88c) returned 0x1b8 [0066.967] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.967] CloseHandle (hObject=0x1b8) returned 1 [0066.967] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0066.968] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x2e4) returned 0x1b8 [0066.968] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.969] CloseHandle (hObject=0x1b8) returned 1 [0066.969] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commands.exe")) returned 1 [0066.970] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x8a8) returned 0x1b8 [0066.970] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.972] CloseHandle (hObject=0x1b8) returned 1 [0066.972] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="limousines.exe")) returned 1 [0066.973] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xec) returned 0x1b8 [0066.973] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.975] CloseHandle (hObject=0x1b8) returned 1 [0066.975] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="orders oxide shift.exe")) returned 1 [0066.976] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x1a4) returned 0x1b8 [0066.976] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.979] CloseHandle (hObject=0x1b8) returned 1 [0066.979] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x270, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pump.exe")) returned 1 [0066.980] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x270) returned 0x1b8 [0066.980] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.982] CloseHandle (hObject=0x1b8) returned 1 [0066.982] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x278, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="charity.exe")) returned 1 [0066.982] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x278) returned 0x1b8 [0066.982] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.984] CloseHandle (hObject=0x1b8) returned 1 [0066.984] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="runtime recommendation.exe")) returned 1 [0066.985] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x504) returned 0x1b8 [0066.985] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.987] CloseHandle (hObject=0x1b8) returned 1 [0066.987] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="collecting_vb_les.exe")) returned 1 [0066.988] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x9ec) returned 0x1b8 [0066.988] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.990] CloseHandle (hObject=0x1b8) returned 1 [0066.990] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lined-tex.exe")) returned 1 [0066.990] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa8c) returned 0x1b8 [0066.990] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.992] CloseHandle (hObject=0x1b8) returned 1 [0066.992] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lowest forwarding sitemap.exe")) returned 1 [0066.993] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa60) returned 0x1b8 [0066.993] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.993] CloseHandle (hObject=0x1b8) returned 1 [0066.993] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="flavor.exe")) returned 1 [0066.994] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x4b8) returned 0x1b8 [0066.994] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.994] CloseHandle (hObject=0x1b8) returned 1 [0066.994] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="freeware.exe")) returned 1 [0066.994] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x888) returned 0x1b8 [0066.995] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.995] CloseHandle (hObject=0x1b8) returned 1 [0066.995] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="kg_tools_them.exe")) returned 1 [0066.996] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa50) returned 0x1b8 [0066.996] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.996] CloseHandle (hObject=0x1b8) returned 1 [0066.996] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="affected.exe")) returned 1 [0066.997] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x8c4) returned 0x1b8 [0066.997] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.997] CloseHandle (hObject=0x1b8) returned 1 [0066.997] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tr_wireless.exe")) returned 1 [0066.998] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa68) returned 0x1b8 [0066.998] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.998] CloseHandle (hObject=0x1b8) returned 1 [0066.998] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="just_instant_bulgaria.exe")) returned 1 [0066.999] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x15c) returned 0x1b8 [0066.999] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0066.999] CloseHandle (hObject=0x1b8) returned 1 [0066.999] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="extensiveadvertisement.exe")) returned 1 [0067.000] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xb3c) returned 0x1b8 [0067.000] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0067.001] CloseHandle (hObject=0x1b8) returned 1 [0067.001] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="semiconductor phys.exe")) returned 1 [0067.001] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa70) returned 0x1b8 [0067.001] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0067.008] CloseHandle (hObject=0x1b8) returned 1 [0067.008] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reveal_medicare_ebay.exe")) returned 1 [0067.009] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xad4) returned 0x1b8 [0067.009] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0067.012] CloseHandle (hObject=0x1b8) returned 1 [0067.012] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="slightly.exe")) returned 1 [0067.013] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x52c) returned 0x1b8 [0067.013] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0067.126] CloseHandle (hObject=0x1b8) returned 1 [0067.126] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0067.127] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.128] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0067.128] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xf08) returned 0x1b8 [0067.128] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0067.129] CloseHandle (hObject=0x1b8) returned 1 [0067.129] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0067.130] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.130] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0067.131] CloseHandle (hObject=0x1dc) returned 1 [0067.131] Sleep (dwMilliseconds=0x3e8) [0068.329] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1dc [0068.335] Process32FirstW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0068.336] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0068.336] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0068.337] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0068.337] lstrlenW (lpString="[System process]") returned 16 [0068.337] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0068.337] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0068.337] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0068.337] lstrlenW (lpString="[System process]") returned 16 [0068.337] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0068.337] lstrlenW (lpString="System") returned 6 [0068.337] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0068.337] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0068.338] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0068.338] lstrlenW (lpString="[System process]") returned 16 [0068.338] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0068.338] lstrlenW (lpString="System") returned 6 [0068.338] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0068.338] lstrlenW (lpString="smss.exe") returned 8 [0068.338] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0068.338] lstrlenW (lpString="dllhost.exe") returned 11 [0068.338] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0068.338] lstrlenW (lpString="svchost.exe") returned 11 [0068.338] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0068.339] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0068.339] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0068.339] lstrlenW (lpString="[System process]") returned 16 [0068.339] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0068.339] lstrlenW (lpString="System") returned 6 [0068.339] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0068.339] lstrlenW (lpString="smss.exe") returned 8 [0068.339] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0068.339] lstrlenW (lpString="dllhost.exe") returned 11 [0068.339] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0068.339] lstrlenW (lpString="svchost.exe") returned 11 [0068.339] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0068.339] lstrlenW (lpString="csrss.exe") returned 9 [0068.339] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0068.339] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.339] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0068.340] lstrlenW (lpString="WebServices.exe") returned 15 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0068.340] lstrlenW (lpString="cmd.exe") returned 7 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0068.340] lstrlenW (lpString="mstsc.exe") returned 9 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0068.340] lstrlenW (lpString="find.exe") returned 8 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0068.340] lstrlenW (lpString="conhost.exe") returned 11 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0068.340] lstrlenW (lpString="explorer.exe") returned 12 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0068.340] lstrlenW (lpString="ctfmon.exe") returned 10 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0068.340] lstrlenW (lpString="lsass.exe") returned 9 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0068.340] lstrlenW (lpString="services.exe") returned 12 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0068.340] lstrlenW (lpString="tasklist.exe") returned 12 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0068.340] lstrlenW (lpString="winlogon.exe") returned 12 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0068.340] lstrlenW (lpString="wmiprvse.exe") returned 12 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0068.340] lstrlenW (lpString="msdts.exe") returned 9 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0068.340] lstrlenW (lpString="bfsvc.exe") returned 9 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0068.340] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0068.340] lstrlenW (lpString="alg.exe") returned 7 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0068.340] lstrlenW (lpString="dwm.exe") returned 7 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0068.340] lstrlenW (lpString="issch.exe") returned 9 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0068.340] lstrlenW (lpString="rundll32.exe") returned 12 [0068.340] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0068.340] lstrlenW (lpString="spoolsv.exe") returned 11 [0068.341] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0068.341] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0068.341] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0068.341] lstrlenW (lpString="[System process]") returned 16 [0068.341] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0068.341] lstrlenW (lpString="System") returned 6 [0068.341] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0068.341] lstrlenW (lpString="smss.exe") returned 8 [0068.341] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0068.341] lstrlenW (lpString="dllhost.exe") returned 11 [0068.341] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0068.341] lstrlenW (lpString="svchost.exe") returned 11 [0068.341] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0068.341] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0068.342] lstrlenW (lpString="[System process]") returned 16 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0068.342] lstrlenW (lpString="System") returned 6 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0068.342] lstrlenW (lpString="smss.exe") returned 8 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0068.342] lstrlenW (lpString="dllhost.exe") returned 11 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0068.342] lstrlenW (lpString="svchost.exe") returned 11 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0068.342] lstrlenW (lpString="csrss.exe") returned 9 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0068.342] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0068.342] lstrlenW (lpString="WebServices.exe") returned 15 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0068.342] lstrlenW (lpString="cmd.exe") returned 7 [0068.342] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0068.342] lstrlenW (lpString="mstsc.exe") returned 9 [0068.343] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0068.343] lstrlenW (lpString="find.exe") returned 8 [0068.343] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0068.343] lstrlenW (lpString="conhost.exe") returned 11 [0068.343] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0068.343] lstrlenW (lpString="explorer.exe") returned 12 [0068.343] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0068.343] lstrlenW (lpString="ctfmon.exe") returned 10 [0068.343] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0068.343] lstrlenW (lpString="lsass.exe") returned 9 [0068.343] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0068.343] lstrlenW (lpString="services.exe") returned 12 [0068.343] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0068.343] lstrlenW (lpString="tasklist.exe") returned 12 [0068.343] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0068.343] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0068.344] lstrlenW (lpString="[System process]") returned 16 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0068.344] lstrlenW (lpString="System") returned 6 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0068.344] lstrlenW (lpString="smss.exe") returned 8 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0068.344] lstrlenW (lpString="dllhost.exe") returned 11 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0068.344] lstrlenW (lpString="svchost.exe") returned 11 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0068.344] lstrlenW (lpString="csrss.exe") returned 9 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0068.344] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0068.344] lstrlenW (lpString="WebServices.exe") returned 15 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0068.344] lstrlenW (lpString="cmd.exe") returned 7 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0068.344] lstrlenW (lpString="mstsc.exe") returned 9 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0068.344] lstrlenW (lpString="find.exe") returned 8 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0068.344] lstrlenW (lpString="conhost.exe") returned 11 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0068.344] lstrlenW (lpString="explorer.exe") returned 12 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0068.344] lstrlenW (lpString="ctfmon.exe") returned 10 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0068.344] lstrlenW (lpString="lsass.exe") returned 9 [0068.344] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0068.344] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0068.345] lstrlenW (lpString="[System process]") returned 16 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0068.345] lstrlenW (lpString="System") returned 6 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0068.345] lstrlenW (lpString="smss.exe") returned 8 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0068.345] lstrlenW (lpString="dllhost.exe") returned 11 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0068.345] lstrlenW (lpString="svchost.exe") returned 11 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0068.345] lstrlenW (lpString="csrss.exe") returned 9 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0068.345] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0068.345] lstrlenW (lpString="WebServices.exe") returned 15 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0068.345] lstrlenW (lpString="cmd.exe") returned 7 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0068.345] lstrlenW (lpString="mstsc.exe") returned 9 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0068.345] lstrlenW (lpString="find.exe") returned 8 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0068.345] lstrlenW (lpString="conhost.exe") returned 11 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0068.345] lstrlenW (lpString="explorer.exe") returned 12 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0068.345] lstrlenW (lpString="ctfmon.exe") returned 10 [0068.345] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0068.345] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.346] lstrlenW (lpString="[System process]") returned 16 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.346] lstrlenW (lpString="System") returned 6 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.346] lstrlenW (lpString="smss.exe") returned 8 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.346] lstrlenW (lpString="dllhost.exe") returned 11 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.346] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.346] lstrlenW (lpString="[System process]") returned 16 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.346] lstrlenW (lpString="System") returned 6 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.346] lstrlenW (lpString="smss.exe") returned 8 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.346] lstrlenW (lpString="dllhost.exe") returned 11 [0068.346] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.346] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0068.347] lstrlenW (lpString="[System process]") returned 16 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0068.347] lstrlenW (lpString="System") returned 6 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0068.347] lstrlenW (lpString="smss.exe") returned 8 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0068.347] lstrlenW (lpString="dllhost.exe") returned 11 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0068.347] lstrlenW (lpString="svchost.exe") returned 11 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0068.347] lstrlenW (lpString="csrss.exe") returned 9 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0068.347] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0068.347] lstrlenW (lpString="WebServices.exe") returned 15 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0068.347] lstrlenW (lpString="cmd.exe") returned 7 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0068.347] lstrlenW (lpString="mstsc.exe") returned 9 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0068.347] lstrlenW (lpString="find.exe") returned 8 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0068.347] lstrlenW (lpString="conhost.exe") returned 11 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0068.347] lstrlenW (lpString="explorer.exe") returned 12 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0068.347] lstrlenW (lpString="ctfmon.exe") returned 10 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0068.347] lstrlenW (lpString="lsass.exe") returned 9 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0068.347] lstrlenW (lpString="services.exe") returned 12 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0068.347] lstrlenW (lpString="tasklist.exe") returned 12 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0068.347] lstrlenW (lpString="winlogon.exe") returned 12 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0068.347] lstrlenW (lpString="wmiprvse.exe") returned 12 [0068.347] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0068.348] lstrlenW (lpString="msdts.exe") returned 9 [0068.348] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0068.348] lstrlenW (lpString="bfsvc.exe") returned 9 [0068.348] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0068.348] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0068.348] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0068.348] lstrlenW (lpString="alg.exe") returned 7 [0068.348] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0068.348] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.348] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.348] lstrlenW (lpString="[System process]") returned 16 [0068.348] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.348] lstrlenW (lpString="System") returned 6 [0068.348] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.348] lstrlenW (lpString="smss.exe") returned 8 [0068.348] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.348] lstrlenW (lpString="dllhost.exe") returned 11 [0068.348] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.348] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.349] lstrlenW (lpString="[System process]") returned 16 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.349] lstrlenW (lpString="System") returned 6 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.349] lstrlenW (lpString="smss.exe") returned 8 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.349] lstrlenW (lpString="dllhost.exe") returned 11 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.349] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.349] lstrlenW (lpString="[System process]") returned 16 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.349] lstrlenW (lpString="System") returned 6 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.349] lstrlenW (lpString="smss.exe") returned 8 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.349] lstrlenW (lpString="dllhost.exe") returned 11 [0068.349] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.349] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.350] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.350] lstrlenW (lpString="[System process]") returned 16 [0068.350] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.350] lstrlenW (lpString="System") returned 6 [0068.350] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.350] lstrlenW (lpString="smss.exe") returned 8 [0068.350] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.350] lstrlenW (lpString="dllhost.exe") returned 11 [0068.350] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.350] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.350] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.351] lstrlenW (lpString="[System process]") returned 16 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.351] lstrlenW (lpString="System") returned 6 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.351] lstrlenW (lpString="smss.exe") returned 8 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.351] lstrlenW (lpString="dllhost.exe") returned 11 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.351] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.351] lstrlenW (lpString="[System process]") returned 16 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.351] lstrlenW (lpString="System") returned 6 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.351] lstrlenW (lpString="smss.exe") returned 8 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.351] lstrlenW (lpString="dllhost.exe") returned 11 [0068.351] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.351] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0068.352] lstrlenW (lpString="[System process]") returned 16 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0068.352] lstrlenW (lpString="System") returned 6 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0068.352] lstrlenW (lpString="smss.exe") returned 8 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0068.352] lstrlenW (lpString="dllhost.exe") returned 11 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0068.352] lstrlenW (lpString="svchost.exe") returned 11 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0068.352] lstrlenW (lpString="csrss.exe") returned 9 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0068.352] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0068.352] lstrlenW (lpString="WebServices.exe") returned 15 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0068.352] lstrlenW (lpString="cmd.exe") returned 7 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0068.352] lstrlenW (lpString="mstsc.exe") returned 9 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0068.352] lstrlenW (lpString="find.exe") returned 8 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0068.352] lstrlenW (lpString="conhost.exe") returned 11 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0068.352] lstrlenW (lpString="explorer.exe") returned 12 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0068.352] lstrlenW (lpString="ctfmon.exe") returned 10 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0068.352] lstrlenW (lpString="lsass.exe") returned 9 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0068.352] lstrlenW (lpString="services.exe") returned 12 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0068.352] lstrlenW (lpString="tasklist.exe") returned 12 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0068.352] lstrlenW (lpString="winlogon.exe") returned 12 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0068.352] lstrlenW (lpString="wmiprvse.exe") returned 12 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0068.352] lstrlenW (lpString="msdts.exe") returned 9 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0068.352] lstrlenW (lpString="bfsvc.exe") returned 9 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0068.352] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0068.352] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0068.353] lstrlenW (lpString="alg.exe") returned 7 [0068.353] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0068.353] lstrlenW (lpString="dwm.exe") returned 7 [0068.353] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0068.353] lstrlenW (lpString="issch.exe") returned 9 [0068.353] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0068.353] lstrlenW (lpString="rundll32.exe") returned 12 [0068.353] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0068.353] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.353] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.353] lstrlenW (lpString="[System process]") returned 16 [0068.353] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.353] lstrlenW (lpString="System") returned 6 [0068.353] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.353] lstrlenW (lpString="smss.exe") returned 8 [0068.353] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.353] lstrlenW (lpString="dllhost.exe") returned 11 [0068.353] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.353] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.354] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.354] lstrlenW (lpString="[System process]") returned 16 [0068.354] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.354] lstrlenW (lpString="System") returned 6 [0068.354] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.354] lstrlenW (lpString="smss.exe") returned 8 [0068.354] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.354] lstrlenW (lpString="dllhost.exe") returned 11 [0068.354] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.354] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.355] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0068.355] lstrlenW (lpString="[System process]") returned 16 [0068.355] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0068.355] lstrlenW (lpString="System") returned 6 [0068.355] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0068.355] lstrlenW (lpString="smss.exe") returned 8 [0068.355] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0068.355] lstrlenW (lpString="dllhost.exe") returned 11 [0068.355] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0068.355] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="[System process]") returned 1 [0068.355] lstrlenW (lpString="[System process]") returned 16 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="System") returned -1 [0068.355] lstrlenW (lpString="System") returned 6 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="smss.exe") returned -1 [0068.355] lstrlenW (lpString="smss.exe") returned 8 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="dllhost.exe") returned 1 [0068.355] lstrlenW (lpString="dllhost.exe") returned 11 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="svchost.exe") returned -1 [0068.355] lstrlenW (lpString="svchost.exe") returned 11 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="csrss.exe") returned 1 [0068.355] lstrlenW (lpString="csrss.exe") returned 9 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0068.355] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="WebServices.exe") returned -1 [0068.355] lstrlenW (lpString="WebServices.exe") returned 15 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="cmd.exe") returned 1 [0068.355] lstrlenW (lpString="cmd.exe") returned 7 [0068.355] lstrcmpiW (lpString1="sihost.exe", lpString2="mstsc.exe") returned 1 [0068.356] lstrlenW (lpString="mstsc.exe") returned 9 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="find.exe") returned 1 [0068.356] lstrlenW (lpString="find.exe") returned 8 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="conhost.exe") returned 1 [0068.356] lstrlenW (lpString="conhost.exe") returned 11 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="explorer.exe") returned 1 [0068.356] lstrlenW (lpString="explorer.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="ctfmon.exe") returned 1 [0068.356] lstrlenW (lpString="ctfmon.exe") returned 10 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="lsass.exe") returned 1 [0068.356] lstrlenW (lpString="lsass.exe") returned 9 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="services.exe") returned 1 [0068.356] lstrlenW (lpString="services.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="tasklist.exe") returned -1 [0068.356] lstrlenW (lpString="tasklist.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="winlogon.exe") returned -1 [0068.356] lstrlenW (lpString="winlogon.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0068.356] lstrlenW (lpString="wmiprvse.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="msdts.exe") returned 1 [0068.356] lstrlenW (lpString="msdts.exe") returned 9 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="bfsvc.exe") returned 1 [0068.356] lstrlenW (lpString="bfsvc.exe") returned 9 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0068.356] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="alg.exe") returned 1 [0068.356] lstrlenW (lpString="alg.exe") returned 7 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="dwm.exe") returned 1 [0068.356] lstrlenW (lpString="dwm.exe") returned 7 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="issch.exe") returned 1 [0068.356] lstrlenW (lpString="issch.exe") returned 9 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="rundll32.exe") returned 1 [0068.356] lstrlenW (lpString="rundll32.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="spoolsv.exe") returned -1 [0068.356] lstrlenW (lpString="spoolsv.exe") returned 11 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="wininit.exe") returned -1 [0068.356] lstrlenW (lpString="wininit.exe") returned 11 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0068.356] lstrlenW (lpString="wmiprvse.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="wudfhost.exe") returned -1 [0068.356] lstrlenW (lpString="wudfhost.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="taskmgr.exe") returned -1 [0068.356] lstrlenW (lpString="taskmgr.exe") returned 11 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="rdpclip.exe") returned 1 [0068.356] lstrlenW (lpString="rdpclip.exe") returned 11 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="logonui.exe") returned 1 [0068.356] lstrlenW (lpString="logonui.exe") returned 11 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="lsm.exe") returned 1 [0068.356] lstrlenW (lpString="lsm.exe") returned 7 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="searchui.exe") returned 1 [0068.356] lstrlenW (lpString="searchui.exe") returned 12 [0068.356] lstrcmpiW (lpString1="sihost.exe", lpString2="searchindexer.exe") returned 1 [0068.357] lstrlenW (lpString="searchindexer.exe") returned 17 [0068.357] lstrcmpiW (lpString1="sihost.exe", lpString2="processhacker.exe") returned 1 [0068.357] lstrlenW (lpString="processhacker.exe") returned 17 [0068.357] lstrcmpiW (lpString1="sihost.exe", lpString2="getpassvord_x64.exe") returned 1 [0068.357] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0068.357] lstrcmpiW (lpString1="sihost.exe", lpString2="64.exe") returned 1 [0068.357] lstrlenW (lpString="64.exe") returned 6 [0068.357] lstrcmpiW (lpString1="sihost.exe", lpString2="32.exe") returned 1 [0068.357] lstrlenW (lpString="32.exe") returned 6 [0068.357] lstrcmpiW (lpString1="sihost.exe", lpString2="mshta.exe") returned 1 [0068.357] lstrlenW (lpString="mshta.exe") returned 9 [0068.357] lstrcmpiW (lpString1="sihost.exe", lpString2="fontdrvhost.exe") returned 1 [0068.357] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0068.357] lstrcmpiW (lpString1="sihost.exe", lpString2="sihost.exe") returned 0 [0068.357] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0068.357] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0068.357] lstrlenW (lpString="[System process]") returned 16 [0068.357] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0068.357] lstrlenW (lpString="System") returned 6 [0068.357] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0068.357] lstrlenW (lpString="smss.exe") returned 8 [0068.357] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0068.357] lstrlenW (lpString="dllhost.exe") returned 11 [0068.357] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0068.357] lstrlenW (lpString="svchost.exe") returned 11 [0068.357] lstrlenW (lpString="csrss.exe") returned 9 [0068.357] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.357] lstrlenW (lpString="WebServices.exe") returned 15 [0068.358] lstrlenW (lpString="cmd.exe") returned 7 [0068.358] lstrlenW (lpString="mstsc.exe") returned 9 [0068.358] lstrlenW (lpString="find.exe") returned 8 [0068.358] lstrlenW (lpString="conhost.exe") returned 11 [0068.358] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0068.358] lstrlenW (lpString="[System process]") returned 16 [0068.358] lstrlenW (lpString="System") returned 6 [0068.358] lstrlenW (lpString="smss.exe") returned 8 [0068.358] lstrlenW (lpString="dllhost.exe") returned 11 [0068.358] lstrlenW (lpString="svchost.exe") returned 11 [0068.358] lstrlenW (lpString="csrss.exe") returned 9 [0068.358] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0068.358] lstrlenW (lpString="WebServices.exe") returned 15 [0068.358] lstrlenW (lpString="cmd.exe") returned 7 [0068.358] lstrlenW (lpString="mstsc.exe") returned 9 [0068.358] lstrlenW (lpString="find.exe") returned 8 [0068.358] lstrlenW (lpString="conhost.exe") returned 11 [0068.358] lstrlenW (lpString="explorer.exe") returned 12 [0068.358] lstrlenW (lpString="ctfmon.exe") returned 10 [0068.358] lstrlenW (lpString="lsass.exe") returned 9 [0068.358] lstrlenW (lpString="services.exe") returned 12 [0068.358] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0068.359] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.359] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0068.360] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.360] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0068.361] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xc0c) returned 0x1b8 [0068.361] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 1 [0068.361] CloseHandle (hObject=0x1b8) returned 1 [0068.361] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0068.362] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0068.362] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xc60) returned 0x1b8 [0068.362] TerminateProcess (hProcess=0x1b8, uExitCode=0x0) returned 0 [0068.363] CloseHandle (hObject=0x1b8) returned 1 [0068.363] Process32NextW (in: hSnapshot=0x1dc, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 0 [0068.363] CloseHandle (hObject=0x1dc) returned 1 [0068.363] Sleep (dwMilliseconds=0x3e8) [0069.955] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x224 [0069.957] Process32FirstW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0069.958] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0069.958] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0069.958] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0069.958] lstrlenW (lpString="[System process]") returned 16 [0069.959] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0069.959] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0069.959] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0069.959] lstrlenW (lpString="[System process]") returned 16 [0069.959] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0069.959] lstrlenW (lpString="System") returned 6 [0069.959] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0069.959] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0069.960] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0069.960] lstrlenW (lpString="[System process]") returned 16 [0069.960] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0069.960] lstrlenW (lpString="System") returned 6 [0069.960] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0069.960] lstrlenW (lpString="smss.exe") returned 8 [0069.960] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0069.960] lstrlenW (lpString="dllhost.exe") returned 11 [0069.960] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0069.960] lstrlenW (lpString="svchost.exe") returned 11 [0069.960] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0069.960] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0069.961] lstrlenW (lpString="[System process]") returned 16 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0069.961] lstrlenW (lpString="System") returned 6 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0069.961] lstrlenW (lpString="smss.exe") returned 8 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0069.961] lstrlenW (lpString="dllhost.exe") returned 11 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0069.961] lstrlenW (lpString="svchost.exe") returned 11 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0069.961] lstrlenW (lpString="csrss.exe") returned 9 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0069.961] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0069.961] lstrlenW (lpString="WebServices.exe") returned 15 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0069.961] lstrlenW (lpString="cmd.exe") returned 7 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0069.961] lstrlenW (lpString="mstsc.exe") returned 9 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0069.961] lstrlenW (lpString="find.exe") returned 8 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0069.961] lstrlenW (lpString="conhost.exe") returned 11 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0069.961] lstrlenW (lpString="explorer.exe") returned 12 [0069.961] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0069.962] lstrlenW (lpString="ctfmon.exe") returned 10 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0069.962] lstrlenW (lpString="lsass.exe") returned 9 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0069.962] lstrlenW (lpString="services.exe") returned 12 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0069.962] lstrlenW (lpString="tasklist.exe") returned 12 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0069.962] lstrlenW (lpString="winlogon.exe") returned 12 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0069.962] lstrlenW (lpString="wmiprvse.exe") returned 12 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0069.962] lstrlenW (lpString="msdts.exe") returned 9 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0069.962] lstrlenW (lpString="bfsvc.exe") returned 9 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0069.962] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0069.962] lstrlenW (lpString="alg.exe") returned 7 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0069.962] lstrlenW (lpString="dwm.exe") returned 7 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0069.962] lstrlenW (lpString="issch.exe") returned 9 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0069.962] lstrlenW (lpString="rundll32.exe") returned 12 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0069.962] lstrlenW (lpString="spoolsv.exe") returned 11 [0069.962] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0069.962] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0069.963] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0069.963] lstrlenW (lpString="[System process]") returned 16 [0069.963] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0069.963] lstrlenW (lpString="System") returned 6 [0069.963] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0069.963] lstrlenW (lpString="smss.exe") returned 8 [0069.963] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0069.963] lstrlenW (lpString="dllhost.exe") returned 11 [0069.963] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0069.963] lstrlenW (lpString="svchost.exe") returned 11 [0069.964] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0069.964] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0069.964] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0069.964] lstrlenW (lpString="[System process]") returned 16 [0069.964] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0069.964] lstrlenW (lpString="System") returned 6 [0069.964] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0069.964] lstrlenW (lpString="smss.exe") returned 8 [0069.964] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0069.964] lstrlenW (lpString="dllhost.exe") returned 11 [0069.964] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0069.964] lstrlenW (lpString="svchost.exe") returned 11 [0069.964] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0069.964] lstrlenW (lpString="csrss.exe") returned 9 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0069.965] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0069.965] lstrlenW (lpString="WebServices.exe") returned 15 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0069.965] lstrlenW (lpString="cmd.exe") returned 7 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0069.965] lstrlenW (lpString="mstsc.exe") returned 9 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0069.965] lstrlenW (lpString="find.exe") returned 8 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0069.965] lstrlenW (lpString="conhost.exe") returned 11 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0069.965] lstrlenW (lpString="explorer.exe") returned 12 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0069.965] lstrlenW (lpString="ctfmon.exe") returned 10 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0069.965] lstrlenW (lpString="lsass.exe") returned 9 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0069.965] lstrlenW (lpString="services.exe") returned 12 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0069.965] lstrlenW (lpString="tasklist.exe") returned 12 [0069.965] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0069.965] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0069.966] lstrlenW (lpString="[System process]") returned 16 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0069.966] lstrlenW (lpString="System") returned 6 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0069.966] lstrlenW (lpString="smss.exe") returned 8 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0069.966] lstrlenW (lpString="dllhost.exe") returned 11 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0069.966] lstrlenW (lpString="svchost.exe") returned 11 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0069.966] lstrlenW (lpString="csrss.exe") returned 9 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0069.966] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0069.966] lstrlenW (lpString="WebServices.exe") returned 15 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0069.966] lstrlenW (lpString="cmd.exe") returned 7 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0069.966] lstrlenW (lpString="mstsc.exe") returned 9 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0069.966] lstrlenW (lpString="find.exe") returned 8 [0069.966] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0069.967] lstrlenW (lpString="conhost.exe") returned 11 [0069.967] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0069.967] lstrlenW (lpString="explorer.exe") returned 12 [0069.967] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0069.967] lstrlenW (lpString="ctfmon.exe") returned 10 [0069.967] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0069.967] lstrlenW (lpString="lsass.exe") returned 9 [0069.967] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0069.967] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0069.967] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0069.967] lstrlenW (lpString="[System process]") returned 16 [0069.967] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0069.967] lstrlenW (lpString="System") returned 6 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0069.968] lstrlenW (lpString="smss.exe") returned 8 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0069.968] lstrlenW (lpString="dllhost.exe") returned 11 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0069.968] lstrlenW (lpString="svchost.exe") returned 11 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0069.968] lstrlenW (lpString="csrss.exe") returned 9 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0069.968] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0069.968] lstrlenW (lpString="WebServices.exe") returned 15 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0069.968] lstrlenW (lpString="cmd.exe") returned 7 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0069.968] lstrlenW (lpString="mstsc.exe") returned 9 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0069.968] lstrlenW (lpString="find.exe") returned 8 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0069.968] lstrlenW (lpString="conhost.exe") returned 11 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0069.968] lstrlenW (lpString="explorer.exe") returned 12 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0069.968] lstrlenW (lpString="ctfmon.exe") returned 10 [0069.968] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0069.968] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.969] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.969] lstrlenW (lpString="[System process]") returned 16 [0069.969] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.969] lstrlenW (lpString="System") returned 6 [0069.969] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.969] lstrlenW (lpString="smss.exe") returned 8 [0069.969] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.969] lstrlenW (lpString="dllhost.exe") returned 11 [0069.969] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.969] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.970] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.970] lstrlenW (lpString="[System process]") returned 16 [0069.970] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.970] lstrlenW (lpString="System") returned 6 [0069.970] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.970] lstrlenW (lpString="smss.exe") returned 8 [0069.970] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.970] lstrlenW (lpString="dllhost.exe") returned 11 [0069.970] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.970] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0069.971] lstrlenW (lpString="[System process]") returned 16 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0069.971] lstrlenW (lpString="System") returned 6 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0069.971] lstrlenW (lpString="smss.exe") returned 8 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0069.971] lstrlenW (lpString="dllhost.exe") returned 11 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0069.971] lstrlenW (lpString="svchost.exe") returned 11 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0069.971] lstrlenW (lpString="csrss.exe") returned 9 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0069.971] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0069.971] lstrlenW (lpString="WebServices.exe") returned 15 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0069.971] lstrlenW (lpString="cmd.exe") returned 7 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0069.971] lstrlenW (lpString="mstsc.exe") returned 9 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0069.971] lstrlenW (lpString="find.exe") returned 8 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0069.971] lstrlenW (lpString="conhost.exe") returned 11 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0069.971] lstrlenW (lpString="explorer.exe") returned 12 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0069.971] lstrlenW (lpString="ctfmon.exe") returned 10 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0069.971] lstrlenW (lpString="lsass.exe") returned 9 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0069.971] lstrlenW (lpString="services.exe") returned 12 [0069.971] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0069.972] lstrlenW (lpString="tasklist.exe") returned 12 [0069.972] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0069.972] lstrlenW (lpString="winlogon.exe") returned 12 [0069.972] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0069.972] lstrlenW (lpString="wmiprvse.exe") returned 12 [0069.972] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0069.972] lstrlenW (lpString="msdts.exe") returned 9 [0069.972] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0069.972] lstrlenW (lpString="bfsvc.exe") returned 9 [0069.972] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0069.972] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0069.972] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0069.972] lstrlenW (lpString="alg.exe") returned 7 [0069.972] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0069.972] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.973] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.973] lstrlenW (lpString="[System process]") returned 16 [0069.973] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.973] lstrlenW (lpString="System") returned 6 [0069.973] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.973] lstrlenW (lpString="smss.exe") returned 8 [0069.973] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.973] lstrlenW (lpString="dllhost.exe") returned 11 [0069.973] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.973] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.974] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.974] lstrlenW (lpString="[System process]") returned 16 [0069.974] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.974] lstrlenW (lpString="System") returned 6 [0069.974] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.974] lstrlenW (lpString="smss.exe") returned 8 [0069.974] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.974] lstrlenW (lpString="dllhost.exe") returned 11 [0069.974] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.974] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.975] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.975] lstrlenW (lpString="[System process]") returned 16 [0069.975] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.975] lstrlenW (lpString="System") returned 6 [0069.975] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.975] lstrlenW (lpString="smss.exe") returned 8 [0069.975] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.975] lstrlenW (lpString="dllhost.exe") returned 11 [0069.975] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.975] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.976] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.976] lstrlenW (lpString="[System process]") returned 16 [0069.976] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.976] lstrlenW (lpString="System") returned 6 [0069.976] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.976] lstrlenW (lpString="smss.exe") returned 8 [0069.976] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.976] lstrlenW (lpString="dllhost.exe") returned 11 [0069.976] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.976] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.977] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.977] lstrlenW (lpString="[System process]") returned 16 [0069.977] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.977] lstrlenW (lpString="System") returned 6 [0069.977] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.977] lstrlenW (lpString="smss.exe") returned 8 [0069.977] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.977] lstrlenW (lpString="dllhost.exe") returned 11 [0069.977] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.977] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.978] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.978] lstrlenW (lpString="[System process]") returned 16 [0069.978] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.978] lstrlenW (lpString="System") returned 6 [0069.978] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.978] lstrlenW (lpString="smss.exe") returned 8 [0069.978] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.978] lstrlenW (lpString="dllhost.exe") returned 11 [0069.978] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.978] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0069.979] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0069.979] lstrlenW (lpString="[System process]") returned 16 [0069.979] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0069.979] lstrlenW (lpString="System") returned 6 [0069.979] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0069.979] lstrlenW (lpString="smss.exe") returned 8 [0069.979] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0069.979] lstrlenW (lpString="dllhost.exe") returned 11 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0069.980] lstrlenW (lpString="svchost.exe") returned 11 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0069.980] lstrlenW (lpString="csrss.exe") returned 9 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0069.980] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0069.980] lstrlenW (lpString="WebServices.exe") returned 15 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0069.980] lstrlenW (lpString="cmd.exe") returned 7 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0069.980] lstrlenW (lpString="mstsc.exe") returned 9 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0069.980] lstrlenW (lpString="find.exe") returned 8 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0069.980] lstrlenW (lpString="conhost.exe") returned 11 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0069.980] lstrlenW (lpString="explorer.exe") returned 12 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0069.980] lstrlenW (lpString="ctfmon.exe") returned 10 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0069.980] lstrlenW (lpString="lsass.exe") returned 9 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0069.980] lstrlenW (lpString="services.exe") returned 12 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0069.980] lstrlenW (lpString="tasklist.exe") returned 12 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0069.980] lstrlenW (lpString="winlogon.exe") returned 12 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0069.980] lstrlenW (lpString="wmiprvse.exe") returned 12 [0069.980] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0069.980] lstrlenW (lpString="msdts.exe") returned 9 [0069.981] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0069.981] lstrlenW (lpString="bfsvc.exe") returned 9 [0069.981] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0069.981] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0069.981] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0069.981] lstrlenW (lpString="alg.exe") returned 7 [0069.981] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0069.981] lstrlenW (lpString="dwm.exe") returned 7 [0069.981] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0069.981] lstrlenW (lpString="issch.exe") returned 9 [0069.981] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0069.981] lstrlenW (lpString="rundll32.exe") returned 12 [0069.981] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0069.981] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.982] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.982] lstrlenW (lpString="[System process]") returned 16 [0069.982] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.982] lstrlenW (lpString="System") returned 6 [0069.982] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.982] lstrlenW (lpString="smss.exe") returned 8 [0069.982] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.982] lstrlenW (lpString="dllhost.exe") returned 11 [0069.982] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.982] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.983] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.983] lstrlenW (lpString="[System process]") returned 16 [0069.983] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.983] lstrlenW (lpString="System") returned 6 [0069.983] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.983] lstrlenW (lpString="smss.exe") returned 8 [0069.983] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.983] lstrlenW (lpString="dllhost.exe") returned 11 [0069.983] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.983] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.983] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0069.983] lstrlenW (lpString="[System process]") returned 16 [0069.983] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0069.983] lstrlenW (lpString="System") returned 6 [0069.984] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0069.984] lstrlenW (lpString="smss.exe") returned 8 [0069.984] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0069.984] lstrlenW (lpString="dllhost.exe") returned 11 [0069.984] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0069.984] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0069.984] lstrcmpiW (lpString1="sihost.exe", lpString2="[System process]") returned 1 [0069.984] lstrlenW (lpString="[System process]") returned 16 [0069.984] lstrcmpiW (lpString1="sihost.exe", lpString2="System") returned -1 [0069.984] lstrlenW (lpString="System") returned 6 [0069.984] lstrcmpiW (lpString1="sihost.exe", lpString2="smss.exe") returned -1 [0069.984] lstrlenW (lpString="smss.exe") returned 8 [0069.984] lstrcmpiW (lpString1="sihost.exe", lpString2="dllhost.exe") returned 1 [0069.984] lstrlenW (lpString="dllhost.exe") returned 11 [0069.984] lstrcmpiW (lpString1="sihost.exe", lpString2="svchost.exe") returned -1 [0069.985] lstrlenW (lpString="svchost.exe") returned 11 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="csrss.exe") returned 1 [0069.985] lstrlenW (lpString="csrss.exe") returned 9 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0069.985] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="WebServices.exe") returned -1 [0069.985] lstrlenW (lpString="WebServices.exe") returned 15 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="cmd.exe") returned 1 [0069.985] lstrlenW (lpString="cmd.exe") returned 7 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="mstsc.exe") returned 1 [0069.985] lstrlenW (lpString="mstsc.exe") returned 9 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="find.exe") returned 1 [0069.985] lstrlenW (lpString="find.exe") returned 8 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="conhost.exe") returned 1 [0069.985] lstrlenW (lpString="conhost.exe") returned 11 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="explorer.exe") returned 1 [0069.985] lstrlenW (lpString="explorer.exe") returned 12 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="ctfmon.exe") returned 1 [0069.985] lstrlenW (lpString="ctfmon.exe") returned 10 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="lsass.exe") returned 1 [0069.985] lstrlenW (lpString="lsass.exe") returned 9 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="services.exe") returned 1 [0069.985] lstrlenW (lpString="services.exe") returned 12 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="tasklist.exe") returned -1 [0069.985] lstrlenW (lpString="tasklist.exe") returned 12 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="winlogon.exe") returned -1 [0069.985] lstrlenW (lpString="winlogon.exe") returned 12 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0069.985] lstrlenW (lpString="wmiprvse.exe") returned 12 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="msdts.exe") returned 1 [0069.985] lstrlenW (lpString="msdts.exe") returned 9 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="bfsvc.exe") returned 1 [0069.985] lstrlenW (lpString="bfsvc.exe") returned 9 [0069.985] lstrcmpiW (lpString1="sihost.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0069.985] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="alg.exe") returned 1 [0069.986] lstrlenW (lpString="alg.exe") returned 7 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="dwm.exe") returned 1 [0069.986] lstrlenW (lpString="dwm.exe") returned 7 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="issch.exe") returned 1 [0069.986] lstrlenW (lpString="issch.exe") returned 9 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="rundll32.exe") returned 1 [0069.986] lstrlenW (lpString="rundll32.exe") returned 12 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="spoolsv.exe") returned -1 [0069.986] lstrlenW (lpString="spoolsv.exe") returned 11 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="wininit.exe") returned -1 [0069.986] lstrlenW (lpString="wininit.exe") returned 11 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0069.986] lstrlenW (lpString="wmiprvse.exe") returned 12 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="wudfhost.exe") returned -1 [0069.986] lstrlenW (lpString="wudfhost.exe") returned 12 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="taskmgr.exe") returned -1 [0069.986] lstrlenW (lpString="taskmgr.exe") returned 11 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="rdpclip.exe") returned 1 [0069.986] lstrlenW (lpString="rdpclip.exe") returned 11 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="logonui.exe") returned 1 [0069.986] lstrlenW (lpString="logonui.exe") returned 11 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="lsm.exe") returned 1 [0069.986] lstrlenW (lpString="lsm.exe") returned 7 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="searchui.exe") returned 1 [0069.986] lstrlenW (lpString="searchui.exe") returned 12 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="searchindexer.exe") returned 1 [0069.986] lstrlenW (lpString="searchindexer.exe") returned 17 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="processhacker.exe") returned 1 [0069.986] lstrlenW (lpString="processhacker.exe") returned 17 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="getpassvord_x64.exe") returned 1 [0069.986] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="64.exe") returned 1 [0069.986] lstrlenW (lpString="64.exe") returned 6 [0069.986] lstrcmpiW (lpString1="sihost.exe", lpString2="32.exe") returned 1 [0069.987] lstrlenW (lpString="32.exe") returned 6 [0069.987] lstrcmpiW (lpString1="sihost.exe", lpString2="mshta.exe") returned 1 [0069.987] lstrlenW (lpString="mshta.exe") returned 9 [0069.987] lstrcmpiW (lpString1="sihost.exe", lpString2="fontdrvhost.exe") returned 1 [0069.987] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0069.987] lstrcmpiW (lpString1="sihost.exe", lpString2="sihost.exe") returned 0 [0069.987] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0069.987] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0069.987] lstrlenW (lpString="[System process]") returned 16 [0069.987] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0069.987] lstrlenW (lpString="System") returned 6 [0069.987] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0069.988] lstrlenW (lpString="smss.exe") returned 8 [0069.988] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0069.988] lstrlenW (lpString="dllhost.exe") returned 11 [0069.988] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0069.988] lstrlenW (lpString="svchost.exe") returned 11 [0069.988] lstrlenW (lpString="csrss.exe") returned 9 [0069.988] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.988] lstrlenW (lpString="WebServices.exe") returned 15 [0069.988] lstrlenW (lpString="cmd.exe") returned 7 [0069.988] lstrlenW (lpString="mstsc.exe") returned 9 [0069.988] lstrlenW (lpString="find.exe") returned 8 [0069.988] lstrlenW (lpString="conhost.exe") returned 11 [0069.988] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0069.989] lstrlenW (lpString="[System process]") returned 16 [0069.989] lstrlenW (lpString="System") returned 6 [0069.989] lstrlenW (lpString="smss.exe") returned 8 [0069.989] lstrlenW (lpString="dllhost.exe") returned 11 [0069.989] lstrlenW (lpString="svchost.exe") returned 11 [0069.989] lstrlenW (lpString="csrss.exe") returned 9 [0069.989] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0069.989] lstrlenW (lpString="WebServices.exe") returned 15 [0069.989] lstrlenW (lpString="cmd.exe") returned 7 [0069.989] lstrlenW (lpString="mstsc.exe") returned 9 [0069.989] lstrlenW (lpString="find.exe") returned 8 [0069.989] lstrlenW (lpString="conhost.exe") returned 11 [0069.989] lstrlenW (lpString="explorer.exe") returned 12 [0069.989] lstrlenW (lpString="ctfmon.exe") returned 10 [0069.989] lstrlenW (lpString="lsass.exe") returned 9 [0069.989] lstrlenW (lpString="services.exe") returned 12 [0069.989] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0069.990] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.991] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0069.991] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.992] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0069.993] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0069.993] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x900) returned 0x228 [0069.993] TerminateProcess (hProcess=0x228, uExitCode=0x0) returned 1 [0069.994] CloseHandle (hObject=0x228) returned 1 [0069.994] Process32NextW (in: hSnapshot=0x224, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 0 [0069.994] CloseHandle (hObject=0x224) returned 1 [0069.994] Sleep (dwMilliseconds=0x3e8) [0071.590] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x22c [0071.593] Process32FirstW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0071.593] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0071.593] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x73, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0071.594] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0071.594] lstrlenW (lpString="[System process]") returned 16 [0071.594] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0071.594] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0071.595] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0071.595] lstrlenW (lpString="[System process]") returned 16 [0071.595] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0071.595] lstrlenW (lpString="System") returned 6 [0071.595] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0071.595] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0071.597] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0071.597] lstrlenW (lpString="[System process]") returned 16 [0071.597] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0071.597] lstrlenW (lpString="System") returned 6 [0071.597] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0071.597] lstrlenW (lpString="smss.exe") returned 8 [0071.597] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0071.597] lstrlenW (lpString="dllhost.exe") returned 11 [0071.597] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0071.598] lstrlenW (lpString="svchost.exe") returned 11 [0071.598] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0071.598] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0071.598] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0071.598] lstrlenW (lpString="[System process]") returned 16 [0071.598] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0071.598] lstrlenW (lpString="System") returned 6 [0071.598] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0071.598] lstrlenW (lpString="smss.exe") returned 8 [0071.598] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0071.598] lstrlenW (lpString="dllhost.exe") returned 11 [0071.598] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0071.598] lstrlenW (lpString="svchost.exe") returned 11 [0071.598] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0071.599] lstrlenW (lpString="csrss.exe") returned 9 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0071.599] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0071.599] lstrlenW (lpString="WebServices.exe") returned 15 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0071.599] lstrlenW (lpString="cmd.exe") returned 7 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0071.599] lstrlenW (lpString="mstsc.exe") returned 9 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0071.599] lstrlenW (lpString="find.exe") returned 8 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0071.599] lstrlenW (lpString="conhost.exe") returned 11 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0071.599] lstrlenW (lpString="explorer.exe") returned 12 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0071.599] lstrlenW (lpString="ctfmon.exe") returned 10 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0071.599] lstrlenW (lpString="lsass.exe") returned 9 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0071.599] lstrlenW (lpString="services.exe") returned 12 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0071.599] lstrlenW (lpString="tasklist.exe") returned 12 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0071.599] lstrlenW (lpString="winlogon.exe") returned 12 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0071.599] lstrlenW (lpString="wmiprvse.exe") returned 12 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0071.599] lstrlenW (lpString="msdts.exe") returned 9 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0071.599] lstrlenW (lpString="bfsvc.exe") returned 9 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0071.599] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0071.599] lstrlenW (lpString="alg.exe") returned 7 [0071.599] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0071.599] lstrlenW (lpString="dwm.exe") returned 7 [0071.600] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0071.600] lstrlenW (lpString="issch.exe") returned 9 [0071.600] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0071.600] lstrlenW (lpString="rundll32.exe") returned 12 [0071.600] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0071.600] lstrlenW (lpString="spoolsv.exe") returned 11 [0071.600] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0071.600] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0071.600] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0071.600] lstrlenW (lpString="[System process]") returned 16 [0071.600] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0071.600] lstrlenW (lpString="System") returned 6 [0071.600] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0071.600] lstrlenW (lpString="smss.exe") returned 8 [0071.601] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0071.601] lstrlenW (lpString="dllhost.exe") returned 11 [0071.601] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0071.601] lstrlenW (lpString="svchost.exe") returned 11 [0071.601] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0071.601] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0071.601] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0071.601] lstrlenW (lpString="[System process]") returned 16 [0071.601] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0071.601] lstrlenW (lpString="System") returned 6 [0071.601] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0071.601] lstrlenW (lpString="smss.exe") returned 8 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0071.602] lstrlenW (lpString="dllhost.exe") returned 11 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0071.602] lstrlenW (lpString="svchost.exe") returned 11 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0071.602] lstrlenW (lpString="csrss.exe") returned 9 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0071.602] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0071.602] lstrlenW (lpString="WebServices.exe") returned 15 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0071.602] lstrlenW (lpString="cmd.exe") returned 7 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0071.602] lstrlenW (lpString="mstsc.exe") returned 9 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0071.602] lstrlenW (lpString="find.exe") returned 8 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0071.602] lstrlenW (lpString="conhost.exe") returned 11 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0071.602] lstrlenW (lpString="explorer.exe") returned 12 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0071.602] lstrlenW (lpString="ctfmon.exe") returned 10 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0071.602] lstrlenW (lpString="lsass.exe") returned 9 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0071.602] lstrlenW (lpString="services.exe") returned 12 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0071.602] lstrlenW (lpString="tasklist.exe") returned 12 [0071.602] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0071.602] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0071.603] lstrlenW (lpString="[System process]") returned 16 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0071.603] lstrlenW (lpString="System") returned 6 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0071.603] lstrlenW (lpString="smss.exe") returned 8 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0071.603] lstrlenW (lpString="dllhost.exe") returned 11 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0071.603] lstrlenW (lpString="svchost.exe") returned 11 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0071.603] lstrlenW (lpString="csrss.exe") returned 9 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0071.603] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0071.603] lstrlenW (lpString="WebServices.exe") returned 15 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0071.603] lstrlenW (lpString="cmd.exe") returned 7 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0071.603] lstrlenW (lpString="mstsc.exe") returned 9 [0071.603] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0071.604] lstrlenW (lpString="find.exe") returned 8 [0071.604] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0071.604] lstrlenW (lpString="conhost.exe") returned 11 [0071.604] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0071.604] lstrlenW (lpString="explorer.exe") returned 12 [0071.604] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0071.604] lstrlenW (lpString="ctfmon.exe") returned 10 [0071.604] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0071.604] lstrlenW (lpString="lsass.exe") returned 9 [0071.604] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0071.604] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0071.604] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0071.604] lstrlenW (lpString="[System process]") returned 16 [0071.604] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0071.604] lstrlenW (lpString="System") returned 6 [0071.604] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0071.604] lstrlenW (lpString="smss.exe") returned 8 [0071.604] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0071.605] lstrlenW (lpString="dllhost.exe") returned 11 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0071.605] lstrlenW (lpString="svchost.exe") returned 11 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0071.605] lstrlenW (lpString="csrss.exe") returned 9 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0071.605] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0071.605] lstrlenW (lpString="WebServices.exe") returned 15 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0071.605] lstrlenW (lpString="cmd.exe") returned 7 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0071.605] lstrlenW (lpString="mstsc.exe") returned 9 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0071.605] lstrlenW (lpString="find.exe") returned 8 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0071.605] lstrlenW (lpString="conhost.exe") returned 11 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0071.605] lstrlenW (lpString="explorer.exe") returned 12 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0071.605] lstrlenW (lpString="ctfmon.exe") returned 10 [0071.605] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0071.605] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.606] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.606] lstrlenW (lpString="[System process]") returned 16 [0071.606] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.606] lstrlenW (lpString="System") returned 6 [0071.606] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.606] lstrlenW (lpString="smss.exe") returned 8 [0071.606] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.606] lstrlenW (lpString="dllhost.exe") returned 11 [0071.606] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.606] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.607] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.607] lstrlenW (lpString="[System process]") returned 16 [0071.607] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.607] lstrlenW (lpString="System") returned 6 [0071.607] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.607] lstrlenW (lpString="smss.exe") returned 8 [0071.607] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.607] lstrlenW (lpString="dllhost.exe") returned 11 [0071.607] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.607] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0071.607] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0071.607] lstrlenW (lpString="[System process]") returned 16 [0071.607] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0071.607] lstrlenW (lpString="System") returned 6 [0071.607] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0071.607] lstrlenW (lpString="smss.exe") returned 8 [0071.607] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0071.608] lstrlenW (lpString="dllhost.exe") returned 11 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0071.608] lstrlenW (lpString="svchost.exe") returned 11 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0071.608] lstrlenW (lpString="csrss.exe") returned 9 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0071.608] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0071.608] lstrlenW (lpString="WebServices.exe") returned 15 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0071.608] lstrlenW (lpString="cmd.exe") returned 7 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0071.608] lstrlenW (lpString="mstsc.exe") returned 9 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0071.608] lstrlenW (lpString="find.exe") returned 8 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0071.608] lstrlenW (lpString="conhost.exe") returned 11 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0071.608] lstrlenW (lpString="explorer.exe") returned 12 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0071.608] lstrlenW (lpString="ctfmon.exe") returned 10 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0071.608] lstrlenW (lpString="lsass.exe") returned 9 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0071.608] lstrlenW (lpString="services.exe") returned 12 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0071.608] lstrlenW (lpString="tasklist.exe") returned 12 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0071.608] lstrlenW (lpString="winlogon.exe") returned 12 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0071.608] lstrlenW (lpString="wmiprvse.exe") returned 12 [0071.608] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0071.609] lstrlenW (lpString="msdts.exe") returned 9 [0071.609] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0071.609] lstrlenW (lpString="bfsvc.exe") returned 9 [0071.609] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0071.609] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0071.609] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0071.609] lstrlenW (lpString="alg.exe") returned 7 [0071.609] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0071.609] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.609] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.609] lstrlenW (lpString="[System process]") returned 16 [0071.609] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.609] lstrlenW (lpString="System") returned 6 [0071.609] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.609] lstrlenW (lpString="smss.exe") returned 8 [0071.609] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.609] lstrlenW (lpString="dllhost.exe") returned 11 [0071.610] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.610] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.610] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.610] lstrlenW (lpString="[System process]") returned 16 [0071.610] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.610] lstrlenW (lpString="System") returned 6 [0071.610] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.610] lstrlenW (lpString="smss.exe") returned 8 [0071.610] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.610] lstrlenW (lpString="dllhost.exe") returned 11 [0071.610] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.610] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.611] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.611] lstrlenW (lpString="[System process]") returned 16 [0071.611] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.611] lstrlenW (lpString="System") returned 6 [0071.611] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.611] lstrlenW (lpString="smss.exe") returned 8 [0071.611] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.611] lstrlenW (lpString="dllhost.exe") returned 11 [0071.611] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.611] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.612] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.612] lstrlenW (lpString="[System process]") returned 16 [0071.612] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.612] lstrlenW (lpString="System") returned 6 [0071.612] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.612] lstrlenW (lpString="smss.exe") returned 8 [0071.612] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.612] lstrlenW (lpString="dllhost.exe") returned 11 [0071.612] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.612] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.612] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.613] lstrlenW (lpString="[System process]") returned 16 [0071.613] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.613] lstrlenW (lpString="System") returned 6 [0071.613] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.613] lstrlenW (lpString="smss.exe") returned 8 [0071.613] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.613] lstrlenW (lpString="dllhost.exe") returned 11 [0071.613] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.613] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.614] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.614] lstrlenW (lpString="[System process]") returned 16 [0071.614] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.614] lstrlenW (lpString="System") returned 6 [0071.614] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.614] lstrlenW (lpString="smss.exe") returned 8 [0071.614] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.614] lstrlenW (lpString="dllhost.exe") returned 11 [0071.614] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.614] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0071.615] lstrlenW (lpString="[System process]") returned 16 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0071.615] lstrlenW (lpString="System") returned 6 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0071.615] lstrlenW (lpString="smss.exe") returned 8 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0071.615] lstrlenW (lpString="dllhost.exe") returned 11 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0071.615] lstrlenW (lpString="svchost.exe") returned 11 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0071.615] lstrlenW (lpString="csrss.exe") returned 9 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0071.615] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0071.615] lstrlenW (lpString="WebServices.exe") returned 15 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0071.615] lstrlenW (lpString="cmd.exe") returned 7 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0071.615] lstrlenW (lpString="mstsc.exe") returned 9 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0071.615] lstrlenW (lpString="find.exe") returned 8 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0071.615] lstrlenW (lpString="conhost.exe") returned 11 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0071.615] lstrlenW (lpString="explorer.exe") returned 12 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0071.615] lstrlenW (lpString="ctfmon.exe") returned 10 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0071.615] lstrlenW (lpString="lsass.exe") returned 9 [0071.615] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0071.616] lstrlenW (lpString="services.exe") returned 12 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0071.616] lstrlenW (lpString="tasklist.exe") returned 12 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0071.616] lstrlenW (lpString="winlogon.exe") returned 12 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0071.616] lstrlenW (lpString="wmiprvse.exe") returned 12 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0071.616] lstrlenW (lpString="msdts.exe") returned 9 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0071.616] lstrlenW (lpString="bfsvc.exe") returned 9 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0071.616] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0071.616] lstrlenW (lpString="alg.exe") returned 7 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0071.616] lstrlenW (lpString="dwm.exe") returned 7 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0071.616] lstrlenW (lpString="issch.exe") returned 9 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0071.616] lstrlenW (lpString="rundll32.exe") returned 12 [0071.616] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0071.616] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.617] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.617] lstrlenW (lpString="[System process]") returned 16 [0071.617] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.617] lstrlenW (lpString="System") returned 6 [0071.617] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.617] lstrlenW (lpString="smss.exe") returned 8 [0071.617] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.617] lstrlenW (lpString="dllhost.exe") returned 11 [0071.617] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.617] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.618] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.618] lstrlenW (lpString="[System process]") returned 16 [0071.618] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.618] lstrlenW (lpString="System") returned 6 [0071.618] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.618] lstrlenW (lpString="smss.exe") returned 8 [0071.618] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.618] lstrlenW (lpString="dllhost.exe") returned 11 [0071.618] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.618] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.618] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0071.618] lstrlenW (lpString="[System process]") returned 16 [0071.618] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0071.618] lstrlenW (lpString="System") returned 6 [0071.618] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0071.618] lstrlenW (lpString="smss.exe") returned 8 [0071.619] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0071.619] lstrlenW (lpString="dllhost.exe") returned 11 [0071.619] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0071.619] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0071.619] lstrcmpiW (lpString1="sihost.exe", lpString2="[System process]") returned 1 [0071.619] lstrlenW (lpString="[System process]") returned 16 [0071.619] lstrcmpiW (lpString1="sihost.exe", lpString2="System") returned -1 [0071.619] lstrlenW (lpString="System") returned 6 [0071.619] lstrcmpiW (lpString1="sihost.exe", lpString2="smss.exe") returned -1 [0071.619] lstrlenW (lpString="smss.exe") returned 8 [0071.619] lstrcmpiW (lpString1="sihost.exe", lpString2="dllhost.exe") returned 1 [0071.619] lstrlenW (lpString="dllhost.exe") returned 11 [0071.619] lstrcmpiW (lpString1="sihost.exe", lpString2="svchost.exe") returned -1 [0071.619] lstrlenW (lpString="svchost.exe") returned 11 [0071.619] lstrcmpiW (lpString1="sihost.exe", lpString2="csrss.exe") returned 1 [0071.619] lstrlenW (lpString="csrss.exe") returned 9 [0071.619] lstrcmpiW (lpString1="sihost.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0071.620] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="WebServices.exe") returned -1 [0071.620] lstrlenW (lpString="WebServices.exe") returned 15 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="cmd.exe") returned 1 [0071.620] lstrlenW (lpString="cmd.exe") returned 7 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="mstsc.exe") returned 1 [0071.620] lstrlenW (lpString="mstsc.exe") returned 9 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="find.exe") returned 1 [0071.620] lstrlenW (lpString="find.exe") returned 8 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="conhost.exe") returned 1 [0071.620] lstrlenW (lpString="conhost.exe") returned 11 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="explorer.exe") returned 1 [0071.620] lstrlenW (lpString="explorer.exe") returned 12 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="ctfmon.exe") returned 1 [0071.620] lstrlenW (lpString="ctfmon.exe") returned 10 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="lsass.exe") returned 1 [0071.620] lstrlenW (lpString="lsass.exe") returned 9 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="services.exe") returned 1 [0071.620] lstrlenW (lpString="services.exe") returned 12 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="tasklist.exe") returned -1 [0071.620] lstrlenW (lpString="tasklist.exe") returned 12 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="winlogon.exe") returned -1 [0071.620] lstrlenW (lpString="winlogon.exe") returned 12 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0071.620] lstrlenW (lpString="wmiprvse.exe") returned 12 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="msdts.exe") returned 1 [0071.620] lstrlenW (lpString="msdts.exe") returned 9 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="bfsvc.exe") returned 1 [0071.620] lstrlenW (lpString="bfsvc.exe") returned 9 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0071.620] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="alg.exe") returned 1 [0071.620] lstrlenW (lpString="alg.exe") returned 7 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="dwm.exe") returned 1 [0071.620] lstrlenW (lpString="dwm.exe") returned 7 [0071.620] lstrcmpiW (lpString1="sihost.exe", lpString2="issch.exe") returned 1 [0071.621] lstrlenW (lpString="issch.exe") returned 9 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="rundll32.exe") returned 1 [0071.621] lstrlenW (lpString="rundll32.exe") returned 12 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="spoolsv.exe") returned -1 [0071.621] lstrlenW (lpString="spoolsv.exe") returned 11 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="wininit.exe") returned -1 [0071.621] lstrlenW (lpString="wininit.exe") returned 11 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0071.621] lstrlenW (lpString="wmiprvse.exe") returned 12 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="wudfhost.exe") returned -1 [0071.621] lstrlenW (lpString="wudfhost.exe") returned 12 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="taskmgr.exe") returned -1 [0071.621] lstrlenW (lpString="taskmgr.exe") returned 11 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="rdpclip.exe") returned 1 [0071.621] lstrlenW (lpString="rdpclip.exe") returned 11 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="logonui.exe") returned 1 [0071.621] lstrlenW (lpString="logonui.exe") returned 11 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="lsm.exe") returned 1 [0071.621] lstrlenW (lpString="lsm.exe") returned 7 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="searchui.exe") returned 1 [0071.621] lstrlenW (lpString="searchui.exe") returned 12 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="searchindexer.exe") returned 1 [0071.621] lstrlenW (lpString="searchindexer.exe") returned 17 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="processhacker.exe") returned 1 [0071.621] lstrlenW (lpString="processhacker.exe") returned 17 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="getpassvord_x64.exe") returned 1 [0071.621] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="64.exe") returned 1 [0071.621] lstrlenW (lpString="64.exe") returned 6 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="32.exe") returned 1 [0071.621] lstrlenW (lpString="32.exe") returned 6 [0071.621] lstrcmpiW (lpString1="sihost.exe", lpString2="mshta.exe") returned 1 [0071.621] lstrlenW (lpString="mshta.exe") returned 9 [0071.622] lstrcmpiW (lpString1="sihost.exe", lpString2="fontdrvhost.exe") returned 1 [0071.622] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0071.622] lstrcmpiW (lpString1="sihost.exe", lpString2="sihost.exe") returned 0 [0071.622] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0071.622] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0071.622] lstrlenW (lpString="[System process]") returned 16 [0071.622] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0071.622] lstrlenW (lpString="System") returned 6 [0071.622] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0071.622] lstrlenW (lpString="smss.exe") returned 8 [0071.622] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0071.622] lstrlenW (lpString="dllhost.exe") returned 11 [0071.622] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0071.622] lstrlenW (lpString="svchost.exe") returned 11 [0071.623] lstrlenW (lpString="csrss.exe") returned 9 [0071.623] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.623] lstrlenW (lpString="WebServices.exe") returned 15 [0071.623] lstrlenW (lpString="cmd.exe") returned 7 [0071.623] lstrlenW (lpString="mstsc.exe") returned 9 [0071.623] lstrlenW (lpString="find.exe") returned 8 [0071.623] lstrlenW (lpString="conhost.exe") returned 11 [0071.623] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0071.623] lstrlenW (lpString="[System process]") returned 16 [0071.623] lstrlenW (lpString="System") returned 6 [0071.624] lstrlenW (lpString="smss.exe") returned 8 [0071.624] lstrlenW (lpString="dllhost.exe") returned 11 [0071.624] lstrlenW (lpString="svchost.exe") returned 11 [0071.624] lstrlenW (lpString="csrss.exe") returned 9 [0071.624] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0071.624] lstrlenW (lpString="WebServices.exe") returned 15 [0071.625] lstrlenW (lpString="cmd.exe") returned 7 [0071.625] lstrlenW (lpString="mstsc.exe") returned 9 [0071.625] lstrlenW (lpString="find.exe") returned 8 [0071.625] lstrlenW (lpString="conhost.exe") returned 11 [0071.625] lstrlenW (lpString="explorer.exe") returned 12 [0071.625] lstrlenW (lpString="ctfmon.exe") returned 10 [0071.625] lstrlenW (lpString="lsass.exe") returned 9 [0071.626] lstrlenW (lpString="services.exe") returned 12 [0071.626] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0071.626] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.627] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0071.627] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.628] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0072.228] Process32NextW (in: hSnapshot=0x22c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0072.229] CloseHandle (hObject=0x22c) returned 1 [0072.229] Sleep (dwMilliseconds=0x3e8) [0073.271] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x26c [0073.275] Process32FirstW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.276] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0073.276] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0073.277] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0073.277] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0073.278] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0073.279] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0073.279] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0073.280] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0073.280] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.280] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.281] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0073.281] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.282] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.282] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.283] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.283] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.284] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.285] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0073.285] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.286] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.286] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.287] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0073.287] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0073.288] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0073.288] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0073.289] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.289] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0073.290] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.291] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0073.291] Process32NextW (in: hSnapshot=0x26c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0073.292] CloseHandle (hObject=0x26c) returned 1 [0073.292] Sleep (dwMilliseconds=0x3e8) [0074.350] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2ec [0074.354] Process32FirstW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.355] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0074.356] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0074.357] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0074.357] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0074.358] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0074.359] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0074.360] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0074.360] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0074.361] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.361] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.362] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0074.363] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.363] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.364] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.365] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.366] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.366] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.367] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0074.367] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.368] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.368] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.369] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0074.370] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0074.370] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0074.371] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0074.372] lstrcmpiW (lpString1="dllhost.exe", lpString2="[System process]") returned 1 [0074.372] lstrcmpiW (lpString1="dllhost.exe", lpString2="System") returned -1 [0074.372] lstrcmpiW (lpString1="dllhost.exe", lpString2="smss.exe") returned -1 [0074.372] lstrcmpiW (lpString1="dllhost.exe", lpString2="dllhost.exe") returned 0 [0074.372] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.373] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0074.373] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0074.373] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0074.373] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0074.373] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0074.373] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="[System process]") returned 1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="System") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="smss.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="dllhost.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="svchost.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="csrss.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="Microsoft.ActiveDirectory") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="WebServices.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="cmd.exe") returned 1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="mstsc.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="find.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="conhost.exe") returned 1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="explorer.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="ctfmon.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="lsass.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="services.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="tasklist.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="winlogon.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="wmiprvse.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="msdts.exe") returned -1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="bfsvc.exe") returned 1 [0074.374] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="AdapterTroubleshooter.exe") returned 1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="alg.exe") returned 1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="dwm.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="issch.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="rundll32.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="spoolsv.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="wininit.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="wmiprvse.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="wudfhost.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="taskmgr.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="rdpclip.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="logonui.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="lsm.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="searchui.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="searchindexer.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="processhacker.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="getpassvord_x64.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="64.exe") returned 1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="32.exe") returned 1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="mshta.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="fontdrvhost.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="sihost.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="pscan24.exe") returned -1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="advanced_port_scanner.exe") returned 1 [0074.375] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="advanced_port_scanner_console.exe") returned 1 [0074.376] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="pscan24.tmp") returned -1 [0074.376] lstrcmpiW (lpString1="CRYPT.EXE", lpString2="dfssvc.exe") returned -1 [0074.376] GetCurrentProcessId () returned 0xfd8 [0074.376] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0074.376] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0074.376] lstrlenW (lpString="[System process]") returned 16 [0074.376] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0074.376] lstrlenW (lpString="System") returned 6 [0074.377] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0074.377] lstrlenW (lpString="smss.exe") returned 8 [0074.377] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0074.377] lstrlenW (lpString="dllhost.exe") returned 11 [0074.377] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0074.377] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0074.377] lstrcmpiW (lpString1="dllhost.exe", lpString2="[System process]") returned 1 [0074.377] lstrlenW (lpString="[System process]") returned 16 [0074.377] lstrcmpiW (lpString1="dllhost.exe", lpString2="System") returned -1 [0074.377] lstrlenW (lpString="System") returned 6 [0074.377] lstrcmpiW (lpString1="dllhost.exe", lpString2="smss.exe") returned -1 [0074.377] lstrlenW (lpString="smss.exe") returned 8 [0074.377] lstrcmpiW (lpString1="dllhost.exe", lpString2="dllhost.exe") returned 0 [0074.377] Process32NextW (in: hSnapshot=0x2ec, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0074.378] CloseHandle (hObject=0x2ec) returned 1 [0074.378] Sleep (dwMilliseconds=0x3e8) [0075.480] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x34c [0075.485] Process32FirstW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.485] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0075.485] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x73, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0075.486] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0075.486] lstrlenW (lpString="[System process]") returned 16 [0075.486] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0075.486] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0075.487] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0075.487] lstrlenW (lpString="[System process]") returned 16 [0075.487] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0075.487] lstrlenW (lpString="System") returned 6 [0075.487] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0075.487] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0075.488] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0075.488] lstrlenW (lpString="[System process]") returned 16 [0075.488] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0075.488] lstrlenW (lpString="System") returned 6 [0075.488] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0075.488] lstrlenW (lpString="smss.exe") returned 8 [0075.489] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0075.489] lstrlenW (lpString="dllhost.exe") returned 11 [0075.489] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0075.489] lstrlenW (lpString="svchost.exe") returned 11 [0075.489] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0075.489] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0075.490] lstrlenW (lpString="[System process]") returned 16 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0075.490] lstrlenW (lpString="System") returned 6 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0075.490] lstrlenW (lpString="smss.exe") returned 8 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0075.490] lstrlenW (lpString="dllhost.exe") returned 11 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0075.490] lstrlenW (lpString="svchost.exe") returned 11 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0075.490] lstrlenW (lpString="csrss.exe") returned 9 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0075.490] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0075.490] lstrlenW (lpString="WebServices.exe") returned 15 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0075.490] lstrlenW (lpString="cmd.exe") returned 7 [0075.490] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0075.490] lstrlenW (lpString="mstsc.exe") returned 9 [0075.491] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0075.491] lstrlenW (lpString="find.exe") returned 8 [0075.491] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0075.491] lstrlenW (lpString="conhost.exe") returned 11 [0075.491] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0075.491] lstrlenW (lpString="explorer.exe") returned 12 [0075.491] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0075.491] lstrlenW (lpString="ctfmon.exe") returned 10 [0075.491] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0075.491] lstrlenW (lpString="lsass.exe") returned 9 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0075.492] lstrlenW (lpString="services.exe") returned 12 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0075.492] lstrlenW (lpString="tasklist.exe") returned 12 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0075.492] lstrlenW (lpString="winlogon.exe") returned 12 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0075.492] lstrlenW (lpString="wmiprvse.exe") returned 12 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0075.492] lstrlenW (lpString="msdts.exe") returned 9 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0075.492] lstrlenW (lpString="bfsvc.exe") returned 9 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0075.492] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0075.492] lstrlenW (lpString="alg.exe") returned 7 [0075.492] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0075.493] lstrlenW (lpString="dwm.exe") returned 7 [0075.493] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0075.493] lstrlenW (lpString="issch.exe") returned 9 [0075.493] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0075.493] lstrlenW (lpString="rundll32.exe") returned 12 [0075.493] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0075.493] lstrlenW (lpString="spoolsv.exe") returned 11 [0075.493] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0075.493] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0075.494] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0075.494] lstrlenW (lpString="[System process]") returned 16 [0075.494] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0075.494] lstrlenW (lpString="System") returned 6 [0075.494] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0075.494] lstrlenW (lpString="smss.exe") returned 8 [0075.494] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0075.494] lstrlenW (lpString="dllhost.exe") returned 11 [0075.494] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0075.494] lstrlenW (lpString="svchost.exe") returned 11 [0075.494] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0075.494] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0075.495] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0075.495] lstrlenW (lpString="[System process]") returned 16 [0075.495] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0075.495] lstrlenW (lpString="System") returned 6 [0075.495] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0075.495] lstrlenW (lpString="smss.exe") returned 8 [0075.495] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0075.495] lstrlenW (lpString="dllhost.exe") returned 11 [0075.495] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0075.495] lstrlenW (lpString="svchost.exe") returned 11 [0075.495] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0075.496] lstrlenW (lpString="csrss.exe") returned 9 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0075.496] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0075.496] lstrlenW (lpString="WebServices.exe") returned 15 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0075.496] lstrlenW (lpString="cmd.exe") returned 7 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0075.496] lstrlenW (lpString="mstsc.exe") returned 9 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0075.496] lstrlenW (lpString="find.exe") returned 8 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0075.496] lstrlenW (lpString="conhost.exe") returned 11 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0075.496] lstrlenW (lpString="explorer.exe") returned 12 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0075.496] lstrlenW (lpString="ctfmon.exe") returned 10 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0075.496] lstrlenW (lpString="lsass.exe") returned 9 [0075.496] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0075.496] lstrlenW (lpString="services.exe") returned 12 [0075.502] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0075.502] lstrlenW (lpString="tasklist.exe") returned 12 [0075.502] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0075.502] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0075.503] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0075.503] lstrlenW (lpString="[System process]") returned 16 [0075.503] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0075.503] lstrlenW (lpString="System") returned 6 [0075.503] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0075.503] lstrlenW (lpString="smss.exe") returned 8 [0075.503] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0075.503] lstrlenW (lpString="dllhost.exe") returned 11 [0075.503] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0075.503] lstrlenW (lpString="svchost.exe") returned 11 [0075.503] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0075.503] lstrlenW (lpString="csrss.exe") returned 9 [0075.503] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0075.503] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.503] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0075.503] lstrlenW (lpString="WebServices.exe") returned 15 [0075.504] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0075.504] lstrlenW (lpString="cmd.exe") returned 7 [0075.504] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0075.504] lstrlenW (lpString="mstsc.exe") returned 9 [0075.504] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0075.504] lstrlenW (lpString="find.exe") returned 8 [0075.504] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0075.504] lstrlenW (lpString="conhost.exe") returned 11 [0075.504] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0075.504] lstrlenW (lpString="explorer.exe") returned 12 [0075.504] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0075.504] lstrlenW (lpString="ctfmon.exe") returned 10 [0075.504] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0075.504] lstrlenW (lpString="lsass.exe") returned 9 [0075.504] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0075.504] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0075.505] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0075.505] lstrlenW (lpString="[System process]") returned 16 [0075.505] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0075.505] lstrlenW (lpString="System") returned 6 [0075.505] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0075.505] lstrlenW (lpString="smss.exe") returned 8 [0075.505] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0075.505] lstrlenW (lpString="dllhost.exe") returned 11 [0075.505] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0075.505] lstrlenW (lpString="svchost.exe") returned 11 [0075.505] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0075.505] lstrlenW (lpString="csrss.exe") returned 9 [0075.505] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0075.505] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.506] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0075.506] lstrlenW (lpString="WebServices.exe") returned 15 [0075.506] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0075.506] lstrlenW (lpString="cmd.exe") returned 7 [0075.506] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0075.506] lstrlenW (lpString="mstsc.exe") returned 9 [0075.506] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0075.506] lstrlenW (lpString="find.exe") returned 8 [0075.506] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0075.506] lstrlenW (lpString="conhost.exe") returned 11 [0075.506] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0075.506] lstrlenW (lpString="explorer.exe") returned 12 [0075.506] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0075.506] lstrlenW (lpString="ctfmon.exe") returned 10 [0075.506] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0075.506] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.507] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.507] lstrlenW (lpString="[System process]") returned 16 [0075.507] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.507] lstrlenW (lpString="System") returned 6 [0075.507] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.507] lstrlenW (lpString="smss.exe") returned 8 [0075.507] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.507] lstrlenW (lpString="dllhost.exe") returned 11 [0075.507] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.507] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.507] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.508] lstrlenW (lpString="[System process]") returned 16 [0075.508] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.508] lstrlenW (lpString="System") returned 6 [0075.508] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.508] lstrlenW (lpString="smss.exe") returned 8 [0075.508] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.508] lstrlenW (lpString="dllhost.exe") returned 11 [0075.508] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.508] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0075.508] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0075.508] lstrlenW (lpString="[System process]") returned 16 [0075.508] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0075.508] lstrlenW (lpString="System") returned 6 [0075.508] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0075.509] lstrlenW (lpString="smss.exe") returned 8 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0075.509] lstrlenW (lpString="dllhost.exe") returned 11 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0075.509] lstrlenW (lpString="svchost.exe") returned 11 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0075.509] lstrlenW (lpString="csrss.exe") returned 9 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0075.509] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0075.509] lstrlenW (lpString="WebServices.exe") returned 15 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0075.509] lstrlenW (lpString="cmd.exe") returned 7 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0075.509] lstrlenW (lpString="mstsc.exe") returned 9 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0075.509] lstrlenW (lpString="find.exe") returned 8 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0075.509] lstrlenW (lpString="conhost.exe") returned 11 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0075.509] lstrlenW (lpString="explorer.exe") returned 12 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0075.509] lstrlenW (lpString="ctfmon.exe") returned 10 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0075.509] lstrlenW (lpString="lsass.exe") returned 9 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0075.509] lstrlenW (lpString="services.exe") returned 12 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0075.509] lstrlenW (lpString="tasklist.exe") returned 12 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0075.509] lstrlenW (lpString="winlogon.exe") returned 12 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0075.509] lstrlenW (lpString="wmiprvse.exe") returned 12 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0075.509] lstrlenW (lpString="msdts.exe") returned 9 [0075.509] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0075.509] lstrlenW (lpString="bfsvc.exe") returned 9 [0075.510] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0075.510] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0075.510] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0075.510] lstrlenW (lpString="alg.exe") returned 7 [0075.510] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0075.510] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.510] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.511] lstrlenW (lpString="[System process]") returned 16 [0075.511] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.511] lstrlenW (lpString="System") returned 6 [0075.511] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.511] lstrlenW (lpString="smss.exe") returned 8 [0075.511] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.511] lstrlenW (lpString="dllhost.exe") returned 11 [0075.511] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.511] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.511] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.511] lstrlenW (lpString="[System process]") returned 16 [0075.511] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.511] lstrlenW (lpString="System") returned 6 [0075.511] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.511] lstrlenW (lpString="smss.exe") returned 8 [0075.512] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.512] lstrlenW (lpString="dllhost.exe") returned 11 [0075.512] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.512] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.514] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.514] lstrlenW (lpString="[System process]") returned 16 [0075.514] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.514] lstrlenW (lpString="System") returned 6 [0075.514] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.514] lstrlenW (lpString="smss.exe") returned 8 [0075.514] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.514] lstrlenW (lpString="dllhost.exe") returned 11 [0075.514] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.514] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.515] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.515] lstrlenW (lpString="[System process]") returned 16 [0075.515] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.515] lstrlenW (lpString="System") returned 6 [0075.515] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.515] lstrlenW (lpString="smss.exe") returned 8 [0075.515] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.515] lstrlenW (lpString="dllhost.exe") returned 11 [0075.515] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.515] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.516] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.516] lstrlenW (lpString="[System process]") returned 16 [0075.516] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.516] lstrlenW (lpString="System") returned 6 [0075.516] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.516] lstrlenW (lpString="smss.exe") returned 8 [0075.516] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.516] lstrlenW (lpString="dllhost.exe") returned 11 [0075.516] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.516] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.517] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.517] lstrlenW (lpString="[System process]") returned 16 [0075.517] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.517] lstrlenW (lpString="System") returned 6 [0075.517] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.517] lstrlenW (lpString="smss.exe") returned 8 [0075.517] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.517] lstrlenW (lpString="dllhost.exe") returned 11 [0075.518] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.518] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0075.518] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0075.518] lstrlenW (lpString="[System process]") returned 16 [0075.518] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0075.518] lstrlenW (lpString="System") returned 6 [0075.518] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0075.519] lstrlenW (lpString="smss.exe") returned 8 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0075.519] lstrlenW (lpString="dllhost.exe") returned 11 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0075.519] lstrlenW (lpString="svchost.exe") returned 11 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0075.519] lstrlenW (lpString="csrss.exe") returned 9 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0075.519] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0075.519] lstrlenW (lpString="WebServices.exe") returned 15 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0075.519] lstrlenW (lpString="cmd.exe") returned 7 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0075.519] lstrlenW (lpString="mstsc.exe") returned 9 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0075.519] lstrlenW (lpString="find.exe") returned 8 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0075.519] lstrlenW (lpString="conhost.exe") returned 11 [0075.519] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0075.519] lstrlenW (lpString="explorer.exe") returned 12 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0075.520] lstrlenW (lpString="ctfmon.exe") returned 10 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0075.520] lstrlenW (lpString="lsass.exe") returned 9 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0075.520] lstrlenW (lpString="services.exe") returned 12 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0075.520] lstrlenW (lpString="tasklist.exe") returned 12 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0075.520] lstrlenW (lpString="winlogon.exe") returned 12 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0075.520] lstrlenW (lpString="wmiprvse.exe") returned 12 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0075.520] lstrlenW (lpString="msdts.exe") returned 9 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0075.520] lstrlenW (lpString="bfsvc.exe") returned 9 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0075.520] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0075.520] lstrlenW (lpString="alg.exe") returned 7 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0075.520] lstrlenW (lpString="dwm.exe") returned 7 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0075.520] lstrlenW (lpString="issch.exe") returned 9 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0075.520] lstrlenW (lpString="rundll32.exe") returned 12 [0075.520] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0075.520] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.521] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.521] lstrlenW (lpString="[System process]") returned 16 [0075.521] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.521] lstrlenW (lpString="System") returned 6 [0075.521] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.521] lstrlenW (lpString="smss.exe") returned 8 [0075.521] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.521] lstrlenW (lpString="dllhost.exe") returned 11 [0075.521] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.521] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.522] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.522] lstrlenW (lpString="[System process]") returned 16 [0075.522] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.522] lstrlenW (lpString="System") returned 6 [0075.522] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.522] lstrlenW (lpString="smss.exe") returned 8 [0075.522] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.522] lstrlenW (lpString="dllhost.exe") returned 11 [0075.522] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.522] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.523] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0075.523] lstrlenW (lpString="[System process]") returned 16 [0075.523] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0075.523] lstrlenW (lpString="System") returned 6 [0075.523] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0075.523] lstrlenW (lpString="smss.exe") returned 8 [0075.523] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0075.523] lstrlenW (lpString="dllhost.exe") returned 11 [0075.523] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0075.523] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0075.524] lstrcmpiW (lpString1="sihost.exe", lpString2="[System process]") returned 1 [0075.524] lstrlenW (lpString="[System process]") returned 16 [0075.524] lstrcmpiW (lpString1="sihost.exe", lpString2="System") returned -1 [0075.524] lstrlenW (lpString="System") returned 6 [0075.524] lstrcmpiW (lpString1="sihost.exe", lpString2="smss.exe") returned -1 [0075.524] lstrlenW (lpString="smss.exe") returned 8 [0075.524] lstrcmpiW (lpString1="sihost.exe", lpString2="dllhost.exe") returned 1 [0075.524] lstrlenW (lpString="dllhost.exe") returned 11 [0075.524] lstrcmpiW (lpString1="sihost.exe", lpString2="svchost.exe") returned -1 [0075.524] lstrlenW (lpString="svchost.exe") returned 11 [0075.524] lstrcmpiW (lpString1="sihost.exe", lpString2="csrss.exe") returned 1 [0075.524] lstrlenW (lpString="csrss.exe") returned 9 [0075.524] lstrcmpiW (lpString1="sihost.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0075.524] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.524] lstrcmpiW (lpString1="sihost.exe", lpString2="WebServices.exe") returned -1 [0075.525] lstrlenW (lpString="WebServices.exe") returned 15 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="cmd.exe") returned 1 [0075.525] lstrlenW (lpString="cmd.exe") returned 7 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="mstsc.exe") returned 1 [0075.525] lstrlenW (lpString="mstsc.exe") returned 9 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="find.exe") returned 1 [0075.525] lstrlenW (lpString="find.exe") returned 8 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="conhost.exe") returned 1 [0075.525] lstrlenW (lpString="conhost.exe") returned 11 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="explorer.exe") returned 1 [0075.525] lstrlenW (lpString="explorer.exe") returned 12 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="ctfmon.exe") returned 1 [0075.525] lstrlenW (lpString="ctfmon.exe") returned 10 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="lsass.exe") returned 1 [0075.525] lstrlenW (lpString="lsass.exe") returned 9 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="services.exe") returned 1 [0075.525] lstrlenW (lpString="services.exe") returned 12 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="tasklist.exe") returned -1 [0075.525] lstrlenW (lpString="tasklist.exe") returned 12 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="winlogon.exe") returned -1 [0075.525] lstrlenW (lpString="winlogon.exe") returned 12 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0075.525] lstrlenW (lpString="wmiprvse.exe") returned 12 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="msdts.exe") returned 1 [0075.525] lstrlenW (lpString="msdts.exe") returned 9 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="bfsvc.exe") returned 1 [0075.525] lstrlenW (lpString="bfsvc.exe") returned 9 [0075.525] lstrcmpiW (lpString1="sihost.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0075.526] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="alg.exe") returned 1 [0075.526] lstrlenW (lpString="alg.exe") returned 7 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="dwm.exe") returned 1 [0075.526] lstrlenW (lpString="dwm.exe") returned 7 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="issch.exe") returned 1 [0075.526] lstrlenW (lpString="issch.exe") returned 9 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="rundll32.exe") returned 1 [0075.526] lstrlenW (lpString="rundll32.exe") returned 12 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="spoolsv.exe") returned -1 [0075.526] lstrlenW (lpString="spoolsv.exe") returned 11 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="wininit.exe") returned -1 [0075.526] lstrlenW (lpString="wininit.exe") returned 11 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0075.526] lstrlenW (lpString="wmiprvse.exe") returned 12 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="wudfhost.exe") returned -1 [0075.526] lstrlenW (lpString="wudfhost.exe") returned 12 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="taskmgr.exe") returned -1 [0075.526] lstrlenW (lpString="taskmgr.exe") returned 11 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="rdpclip.exe") returned 1 [0075.526] lstrlenW (lpString="rdpclip.exe") returned 11 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="logonui.exe") returned 1 [0075.526] lstrlenW (lpString="logonui.exe") returned 11 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="lsm.exe") returned 1 [0075.526] lstrlenW (lpString="lsm.exe") returned 7 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="searchui.exe") returned 1 [0075.526] lstrlenW (lpString="searchui.exe") returned 12 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="searchindexer.exe") returned 1 [0075.526] lstrlenW (lpString="searchindexer.exe") returned 17 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="processhacker.exe") returned 1 [0075.526] lstrlenW (lpString="processhacker.exe") returned 17 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="getpassvord_x64.exe") returned 1 [0075.526] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="64.exe") returned 1 [0075.526] lstrlenW (lpString="64.exe") returned 6 [0075.526] lstrcmpiW (lpString1="sihost.exe", lpString2="32.exe") returned 1 [0075.526] lstrlenW (lpString="32.exe") returned 6 [0075.527] lstrcmpiW (lpString1="sihost.exe", lpString2="mshta.exe") returned 1 [0075.527] lstrlenW (lpString="mshta.exe") returned 9 [0075.527] lstrcmpiW (lpString1="sihost.exe", lpString2="fontdrvhost.exe") returned 1 [0075.527] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0075.527] lstrcmpiW (lpString1="sihost.exe", lpString2="sihost.exe") returned 0 [0075.527] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0075.527] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0075.527] lstrlenW (lpString="[System process]") returned 16 [0075.527] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0075.528] lstrlenW (lpString="System") returned 6 [0075.528] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0075.528] lstrlenW (lpString="smss.exe") returned 8 [0075.528] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0075.528] lstrlenW (lpString="dllhost.exe") returned 11 [0075.528] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0075.528] lstrlenW (lpString="svchost.exe") returned 11 [0075.528] lstrlenW (lpString="csrss.exe") returned 9 [0075.680] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.680] lstrlenW (lpString="WebServices.exe") returned 15 [0075.680] lstrlenW (lpString="cmd.exe") returned 7 [0075.680] lstrlenW (lpString="mstsc.exe") returned 9 [0075.680] lstrlenW (lpString="find.exe") returned 8 [0075.681] lstrlenW (lpString="conhost.exe") returned 11 [0075.681] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0075.681] lstrlenW (lpString="[System process]") returned 16 [0075.681] lstrlenW (lpString="System") returned 6 [0075.682] lstrlenW (lpString="smss.exe") returned 8 [0075.682] lstrlenW (lpString="dllhost.exe") returned 11 [0075.682] lstrlenW (lpString="svchost.exe") returned 11 [0075.682] lstrlenW (lpString="csrss.exe") returned 9 [0075.682] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0075.682] lstrlenW (lpString="WebServices.exe") returned 15 [0075.682] lstrlenW (lpString="cmd.exe") returned 7 [0075.682] lstrlenW (lpString="mstsc.exe") returned 9 [0075.682] lstrlenW (lpString="find.exe") returned 8 [0075.682] lstrlenW (lpString="conhost.exe") returned 11 [0075.682] lstrlenW (lpString="explorer.exe") returned 12 [0075.682] lstrlenW (lpString="ctfmon.exe") returned 10 [0075.682] lstrlenW (lpString="lsass.exe") returned 9 [0075.682] lstrlenW (lpString="services.exe") returned 12 [0075.682] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0075.683] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.684] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0075.685] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.686] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0075.687] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0075.688] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xce0) returned 0x354 [0075.688] TerminateProcess (hProcess=0x354, uExitCode=0x0) returned 1 [0075.688] CloseHandle (hObject=0x354) returned 1 [0075.688] Process32NextW (in: hSnapshot=0x34c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 0 [0075.689] CloseHandle (hObject=0x34c) returned 1 [0075.689] Sleep (dwMilliseconds=0x3e8) [0077.587] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x364 [0077.596] Process32FirstW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0077.596] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0077.597] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x67, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0077.598] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0077.598] lstrlenW (lpString="[System process]") returned 16 [0077.598] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0077.598] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0077.599] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0077.599] lstrlenW (lpString="[System process]") returned 16 [0077.599] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0077.599] lstrlenW (lpString="System") returned 6 [0077.599] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0077.599] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0077.602] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0077.602] lstrlenW (lpString="[System process]") returned 16 [0077.602] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0077.602] lstrlenW (lpString="System") returned 6 [0077.602] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0077.602] lstrlenW (lpString="smss.exe") returned 8 [0077.602] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0077.602] lstrlenW (lpString="dllhost.exe") returned 11 [0077.602] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0077.602] lstrlenW (lpString="svchost.exe") returned 11 [0077.602] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0077.603] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0077.609] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0077.609] lstrlenW (lpString="[System process]") returned 16 [0077.609] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0077.609] lstrlenW (lpString="System") returned 6 [0077.609] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0077.609] lstrlenW (lpString="smss.exe") returned 8 [0077.611] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0077.611] lstrlenW (lpString="dllhost.exe") returned 11 [0077.611] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0077.611] lstrlenW (lpString="svchost.exe") returned 11 [0077.611] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0077.611] lstrlenW (lpString="csrss.exe") returned 9 [0077.611] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0077.611] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0077.612] lstrlenW (lpString="WebServices.exe") returned 15 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0077.612] lstrlenW (lpString="cmd.exe") returned 7 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0077.612] lstrlenW (lpString="mstsc.exe") returned 9 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0077.612] lstrlenW (lpString="find.exe") returned 8 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0077.612] lstrlenW (lpString="conhost.exe") returned 11 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0077.612] lstrlenW (lpString="explorer.exe") returned 12 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0077.612] lstrlenW (lpString="ctfmon.exe") returned 10 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0077.612] lstrlenW (lpString="lsass.exe") returned 9 [0077.612] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0077.614] lstrlenW (lpString="services.exe") returned 12 [0077.614] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0077.614] lstrlenW (lpString="tasklist.exe") returned 12 [0077.614] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0077.614] lstrlenW (lpString="winlogon.exe") returned 12 [0077.614] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0077.614] lstrlenW (lpString="wmiprvse.exe") returned 12 [0077.614] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0077.614] lstrlenW (lpString="msdts.exe") returned 9 [0077.615] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0077.615] lstrlenW (lpString="bfsvc.exe") returned 9 [0077.615] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0077.615] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0077.615] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0077.615] lstrlenW (lpString="alg.exe") returned 7 [0077.615] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0077.615] lstrlenW (lpString="dwm.exe") returned 7 [0077.615] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0077.615] lstrlenW (lpString="issch.exe") returned 9 [0077.615] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0077.615] lstrlenW (lpString="rundll32.exe") returned 12 [0077.615] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0077.615] lstrlenW (lpString="spoolsv.exe") returned 11 [0077.615] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0077.615] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0077.626] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0077.626] lstrlenW (lpString="[System process]") returned 16 [0077.626] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0077.626] lstrlenW (lpString="System") returned 6 [0077.626] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0077.626] lstrlenW (lpString="smss.exe") returned 8 [0077.626] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0077.627] lstrlenW (lpString="dllhost.exe") returned 11 [0077.627] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0077.627] lstrlenW (lpString="svchost.exe") returned 11 [0077.627] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0077.627] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0077.628] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0077.628] lstrlenW (lpString="[System process]") returned 16 [0077.628] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0077.628] lstrlenW (lpString="System") returned 6 [0077.628] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0077.628] lstrlenW (lpString="smss.exe") returned 8 [0077.628] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0077.628] lstrlenW (lpString="dllhost.exe") returned 11 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0077.629] lstrlenW (lpString="svchost.exe") returned 11 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0077.629] lstrlenW (lpString="csrss.exe") returned 9 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0077.629] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0077.629] lstrlenW (lpString="WebServices.exe") returned 15 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0077.629] lstrlenW (lpString="cmd.exe") returned 7 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0077.629] lstrlenW (lpString="mstsc.exe") returned 9 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0077.629] lstrlenW (lpString="find.exe") returned 8 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0077.629] lstrlenW (lpString="conhost.exe") returned 11 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0077.629] lstrlenW (lpString="explorer.exe") returned 12 [0077.629] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0077.629] lstrlenW (lpString="ctfmon.exe") returned 10 [0077.630] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0077.630] lstrlenW (lpString="lsass.exe") returned 9 [0077.630] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0077.630] lstrlenW (lpString="services.exe") returned 12 [0077.630] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0077.630] lstrlenW (lpString="tasklist.exe") returned 12 [0077.630] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0077.630] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0077.631] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0077.631] lstrlenW (lpString="[System process]") returned 16 [0077.631] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0077.631] lstrlenW (lpString="System") returned 6 [0077.631] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0077.631] lstrlenW (lpString="smss.exe") returned 8 [0077.631] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0077.631] lstrlenW (lpString="dllhost.exe") returned 11 [0077.631] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0077.631] lstrlenW (lpString="svchost.exe") returned 11 [0077.631] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0077.631] lstrlenW (lpString="csrss.exe") returned 9 [0077.631] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0077.631] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0077.632] lstrlenW (lpString="WebServices.exe") returned 15 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0077.632] lstrlenW (lpString="cmd.exe") returned 7 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0077.632] lstrlenW (lpString="mstsc.exe") returned 9 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0077.632] lstrlenW (lpString="find.exe") returned 8 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0077.632] lstrlenW (lpString="conhost.exe") returned 11 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0077.632] lstrlenW (lpString="explorer.exe") returned 12 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0077.632] lstrlenW (lpString="ctfmon.exe") returned 10 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0077.632] lstrlenW (lpString="lsass.exe") returned 9 [0077.632] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0077.632] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0077.633] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0077.633] lstrlenW (lpString="[System process]") returned 16 [0077.633] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0077.633] lstrlenW (lpString="System") returned 6 [0077.633] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0077.633] lstrlenW (lpString="smss.exe") returned 8 [0077.633] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0077.634] lstrlenW (lpString="dllhost.exe") returned 11 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0077.634] lstrlenW (lpString="svchost.exe") returned 11 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0077.634] lstrlenW (lpString="csrss.exe") returned 9 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0077.634] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0077.634] lstrlenW (lpString="WebServices.exe") returned 15 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0077.634] lstrlenW (lpString="cmd.exe") returned 7 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0077.634] lstrlenW (lpString="mstsc.exe") returned 9 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0077.634] lstrlenW (lpString="find.exe") returned 8 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0077.634] lstrlenW (lpString="conhost.exe") returned 11 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0077.634] lstrlenW (lpString="explorer.exe") returned 12 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0077.634] lstrlenW (lpString="ctfmon.exe") returned 10 [0077.634] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0077.634] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.635] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.635] lstrlenW (lpString="[System process]") returned 16 [0077.635] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.635] lstrlenW (lpString="System") returned 6 [0077.635] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.636] lstrlenW (lpString="smss.exe") returned 8 [0077.636] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.636] lstrlenW (lpString="dllhost.exe") returned 11 [0077.636] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.636] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.637] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.637] lstrlenW (lpString="[System process]") returned 16 [0077.637] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.637] lstrlenW (lpString="System") returned 6 [0077.637] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.637] lstrlenW (lpString="smss.exe") returned 8 [0077.637] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.637] lstrlenW (lpString="dllhost.exe") returned 11 [0077.637] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.637] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0077.638] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0077.638] lstrlenW (lpString="[System process]") returned 16 [0077.638] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0077.638] lstrlenW (lpString="System") returned 6 [0077.638] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0077.638] lstrlenW (lpString="smss.exe") returned 8 [0077.638] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0077.638] lstrlenW (lpString="dllhost.exe") returned 11 [0077.638] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0077.638] lstrlenW (lpString="svchost.exe") returned 11 [0077.638] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0077.638] lstrlenW (lpString="csrss.exe") returned 9 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0077.639] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0077.639] lstrlenW (lpString="WebServices.exe") returned 15 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0077.639] lstrlenW (lpString="cmd.exe") returned 7 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0077.639] lstrlenW (lpString="mstsc.exe") returned 9 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0077.639] lstrlenW (lpString="find.exe") returned 8 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0077.639] lstrlenW (lpString="conhost.exe") returned 11 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0077.639] lstrlenW (lpString="explorer.exe") returned 12 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0077.639] lstrlenW (lpString="ctfmon.exe") returned 10 [0077.639] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0077.639] lstrlenW (lpString="lsass.exe") returned 9 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0077.640] lstrlenW (lpString="services.exe") returned 12 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0077.640] lstrlenW (lpString="tasklist.exe") returned 12 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0077.640] lstrlenW (lpString="winlogon.exe") returned 12 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0077.640] lstrlenW (lpString="wmiprvse.exe") returned 12 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0077.640] lstrlenW (lpString="msdts.exe") returned 9 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0077.640] lstrlenW (lpString="bfsvc.exe") returned 9 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0077.640] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0077.640] lstrlenW (lpString="alg.exe") returned 7 [0077.640] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0077.640] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.642] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.642] lstrlenW (lpString="[System process]") returned 16 [0077.642] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.642] lstrlenW (lpString="System") returned 6 [0077.642] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.642] lstrlenW (lpString="smss.exe") returned 8 [0077.642] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.642] lstrlenW (lpString="dllhost.exe") returned 11 [0077.642] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.642] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.643] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.643] lstrlenW (lpString="[System process]") returned 16 [0077.643] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.643] lstrlenW (lpString="System") returned 6 [0077.643] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.643] lstrlenW (lpString="smss.exe") returned 8 [0077.643] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.643] lstrlenW (lpString="dllhost.exe") returned 11 [0077.643] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.643] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.644] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.644] lstrlenW (lpString="[System process]") returned 16 [0077.644] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.644] lstrlenW (lpString="System") returned 6 [0077.644] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.645] lstrlenW (lpString="smss.exe") returned 8 [0077.645] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.645] lstrlenW (lpString="dllhost.exe") returned 11 [0077.645] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.645] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.826] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.827] lstrlenW (lpString="[System process]") returned 16 [0077.827] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.827] lstrlenW (lpString="System") returned 6 [0077.827] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.827] lstrlenW (lpString="smss.exe") returned 8 [0077.827] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.827] lstrlenW (lpString="dllhost.exe") returned 11 [0077.827] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.827] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.828] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.828] lstrlenW (lpString="[System process]") returned 16 [0077.830] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.830] lstrlenW (lpString="System") returned 6 [0077.830] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.830] lstrlenW (lpString="smss.exe") returned 8 [0077.830] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.830] lstrlenW (lpString="dllhost.exe") returned 11 [0077.830] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.830] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.831] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.831] lstrlenW (lpString="[System process]") returned 16 [0077.831] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.831] lstrlenW (lpString="System") returned 6 [0077.831] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.831] lstrlenW (lpString="smss.exe") returned 8 [0077.831] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.831] lstrlenW (lpString="dllhost.exe") returned 11 [0077.831] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.832] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0077.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0077.832] lstrlenW (lpString="[System process]") returned 16 [0077.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0077.832] lstrlenW (lpString="System") returned 6 [0077.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0077.832] lstrlenW (lpString="smss.exe") returned 8 [0077.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0077.832] lstrlenW (lpString="dllhost.exe") returned 11 [0077.832] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0077.833] lstrlenW (lpString="svchost.exe") returned 11 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0077.833] lstrlenW (lpString="csrss.exe") returned 9 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0077.833] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0077.833] lstrlenW (lpString="WebServices.exe") returned 15 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0077.833] lstrlenW (lpString="cmd.exe") returned 7 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0077.833] lstrlenW (lpString="mstsc.exe") returned 9 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0077.833] lstrlenW (lpString="find.exe") returned 8 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0077.833] lstrlenW (lpString="conhost.exe") returned 11 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0077.833] lstrlenW (lpString="explorer.exe") returned 12 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0077.833] lstrlenW (lpString="ctfmon.exe") returned 10 [0077.833] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0077.834] lstrlenW (lpString="lsass.exe") returned 9 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0077.834] lstrlenW (lpString="services.exe") returned 12 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0077.834] lstrlenW (lpString="tasklist.exe") returned 12 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0077.834] lstrlenW (lpString="winlogon.exe") returned 12 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0077.834] lstrlenW (lpString="wmiprvse.exe") returned 12 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0077.834] lstrlenW (lpString="msdts.exe") returned 9 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0077.834] lstrlenW (lpString="bfsvc.exe") returned 9 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0077.834] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0077.834] lstrlenW (lpString="alg.exe") returned 7 [0077.834] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0077.834] lstrlenW (lpString="dwm.exe") returned 7 [0077.835] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0077.835] lstrlenW (lpString="issch.exe") returned 9 [0077.835] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0077.835] lstrlenW (lpString="rundll32.exe") returned 12 [0077.835] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0077.835] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.836] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.836] lstrlenW (lpString="[System process]") returned 16 [0077.836] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.836] lstrlenW (lpString="System") returned 6 [0077.836] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.836] lstrlenW (lpString="smss.exe") returned 8 [0077.836] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.836] lstrlenW (lpString="dllhost.exe") returned 11 [0077.836] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.836] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.837] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.837] lstrlenW (lpString="[System process]") returned 16 [0077.837] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.837] lstrlenW (lpString="System") returned 6 [0077.837] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.837] lstrlenW (lpString="smss.exe") returned 8 [0077.837] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.837] lstrlenW (lpString="dllhost.exe") returned 11 [0077.837] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.837] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.838] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0077.838] lstrlenW (lpString="[System process]") returned 16 [0077.838] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0077.838] lstrlenW (lpString="System") returned 6 [0077.838] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0077.838] lstrlenW (lpString="smss.exe") returned 8 [0077.838] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0077.838] lstrlenW (lpString="dllhost.exe") returned 11 [0077.838] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0077.838] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="[System process]") returned 1 [0077.839] lstrlenW (lpString="[System process]") returned 16 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="System") returned -1 [0077.839] lstrlenW (lpString="System") returned 6 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="smss.exe") returned -1 [0077.839] lstrlenW (lpString="smss.exe") returned 8 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="dllhost.exe") returned 1 [0077.839] lstrlenW (lpString="dllhost.exe") returned 11 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="svchost.exe") returned -1 [0077.839] lstrlenW (lpString="svchost.exe") returned 11 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="csrss.exe") returned 1 [0077.839] lstrlenW (lpString="csrss.exe") returned 9 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0077.839] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="WebServices.exe") returned -1 [0077.839] lstrlenW (lpString="WebServices.exe") returned 15 [0077.839] lstrcmpiW (lpString1="sihost.exe", lpString2="cmd.exe") returned 1 [0077.844] lstrlenW (lpString="cmd.exe") returned 7 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="mstsc.exe") returned 1 [0077.845] lstrlenW (lpString="mstsc.exe") returned 9 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="find.exe") returned 1 [0077.845] lstrlenW (lpString="find.exe") returned 8 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="conhost.exe") returned 1 [0077.845] lstrlenW (lpString="conhost.exe") returned 11 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="explorer.exe") returned 1 [0077.845] lstrlenW (lpString="explorer.exe") returned 12 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="ctfmon.exe") returned 1 [0077.845] lstrlenW (lpString="ctfmon.exe") returned 10 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="lsass.exe") returned 1 [0077.845] lstrlenW (lpString="lsass.exe") returned 9 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="services.exe") returned 1 [0077.845] lstrlenW (lpString="services.exe") returned 12 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="tasklist.exe") returned -1 [0077.845] lstrlenW (lpString="tasklist.exe") returned 12 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="winlogon.exe") returned -1 [0077.845] lstrlenW (lpString="winlogon.exe") returned 12 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0077.845] lstrlenW (lpString="wmiprvse.exe") returned 12 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="msdts.exe") returned 1 [0077.845] lstrlenW (lpString="msdts.exe") returned 9 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="bfsvc.exe") returned 1 [0077.845] lstrlenW (lpString="bfsvc.exe") returned 9 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0077.845] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="alg.exe") returned 1 [0077.845] lstrlenW (lpString="alg.exe") returned 7 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="dwm.exe") returned 1 [0077.845] lstrlenW (lpString="dwm.exe") returned 7 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="issch.exe") returned 1 [0077.845] lstrlenW (lpString="issch.exe") returned 9 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="rundll32.exe") returned 1 [0077.845] lstrlenW (lpString="rundll32.exe") returned 12 [0077.845] lstrcmpiW (lpString1="sihost.exe", lpString2="spoolsv.exe") returned -1 [0077.846] lstrlenW (lpString="spoolsv.exe") returned 11 [0077.846] lstrcmpiW (lpString1="sihost.exe", lpString2="wininit.exe") returned -1 [0077.846] lstrlenW (lpString="wininit.exe") returned 11 [0077.846] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0077.846] lstrlenW (lpString="wmiprvse.exe") returned 12 [0077.846] lstrcmpiW (lpString1="sihost.exe", lpString2="wudfhost.exe") returned -1 [0077.846] lstrlenW (lpString="wudfhost.exe") returned 12 [0077.846] lstrcmpiW (lpString1="sihost.exe", lpString2="taskmgr.exe") returned -1 [0077.846] lstrlenW (lpString="taskmgr.exe") returned 11 [0077.846] lstrcmpiW (lpString1="sihost.exe", lpString2="rdpclip.exe") returned 1 [0077.846] lstrlenW (lpString="rdpclip.exe") returned 11 [0077.846] lstrcmpiW (lpString1="sihost.exe", lpString2="logonui.exe") returned 1 [0077.849] lstrlenW (lpString="logonui.exe") returned 11 [0077.849] lstrcmpiW (lpString1="sihost.exe", lpString2="lsm.exe") returned 1 [0077.849] lstrlenW (lpString="lsm.exe") returned 7 [0077.849] lstrcmpiW (lpString1="sihost.exe", lpString2="searchui.exe") returned 1 [0077.849] lstrlenW (lpString="searchui.exe") returned 12 [0077.849] lstrcmpiW (lpString1="sihost.exe", lpString2="searchindexer.exe") returned 1 [0077.849] lstrlenW (lpString="searchindexer.exe") returned 17 [0077.849] lstrcmpiW (lpString1="sihost.exe", lpString2="processhacker.exe") returned 1 [0077.849] lstrlenW (lpString="processhacker.exe") returned 17 [0077.849] lstrcmpiW (lpString1="sihost.exe", lpString2="getpassvord_x64.exe") returned 1 [0077.849] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0077.849] lstrcmpiW (lpString1="sihost.exe", lpString2="64.exe") returned 1 [0077.849] lstrlenW (lpString="64.exe") returned 6 [0077.849] lstrcmpiW (lpString1="sihost.exe", lpString2="32.exe") returned 1 [0077.850] lstrlenW (lpString="32.exe") returned 6 [0077.850] lstrcmpiW (lpString1="sihost.exe", lpString2="mshta.exe") returned 1 [0077.850] lstrlenW (lpString="mshta.exe") returned 9 [0077.850] lstrcmpiW (lpString1="sihost.exe", lpString2="fontdrvhost.exe") returned 1 [0077.850] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0077.850] lstrcmpiW (lpString1="sihost.exe", lpString2="sihost.exe") returned 0 [0077.850] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0077.851] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0077.851] lstrlenW (lpString="[System process]") returned 16 [0077.851] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0077.851] lstrlenW (lpString="System") returned 6 [0077.851] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0077.851] lstrlenW (lpString="smss.exe") returned 8 [0077.851] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0077.851] lstrlenW (lpString="dllhost.exe") returned 11 [0077.851] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0077.851] lstrlenW (lpString="svchost.exe") returned 11 [0077.851] lstrlenW (lpString="csrss.exe") returned 9 [0077.851] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.851] lstrlenW (lpString="WebServices.exe") returned 15 [0077.851] lstrlenW (lpString="cmd.exe") returned 7 [0077.851] lstrlenW (lpString="mstsc.exe") returned 9 [0077.851] lstrlenW (lpString="find.exe") returned 8 [0077.851] lstrlenW (lpString="conhost.exe") returned 11 [0077.851] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0077.852] lstrlenW (lpString="[System process]") returned 16 [0077.852] lstrlenW (lpString="System") returned 6 [0077.852] lstrlenW (lpString="smss.exe") returned 8 [0077.852] lstrlenW (lpString="dllhost.exe") returned 11 [0077.852] lstrlenW (lpString="svchost.exe") returned 11 [0077.852] lstrlenW (lpString="csrss.exe") returned 9 [0077.852] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0077.852] lstrlenW (lpString="WebServices.exe") returned 15 [0077.852] lstrlenW (lpString="cmd.exe") returned 7 [0077.852] lstrlenW (lpString="mstsc.exe") returned 9 [0077.852] lstrlenW (lpString="find.exe") returned 8 [0077.852] lstrlenW (lpString="conhost.exe") returned 11 [0077.853] lstrlenW (lpString="explorer.exe") returned 12 [0077.853] lstrlenW (lpString="ctfmon.exe") returned 10 [0077.853] lstrlenW (lpString="lsass.exe") returned 9 [0077.853] lstrlenW (lpString="services.exe") returned 12 [0077.853] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0077.853] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.854] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0077.855] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0077.855] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0077.856] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0077.857] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xce0) returned 0x368 [0077.857] TerminateProcess (hProcess=0x368, uExitCode=0x0) returned 0 [0077.857] CloseHandle (hObject=0x368) returned 1 [0077.857] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xfd8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0077.858] Process32NextW (in: hSnapshot=0x364, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xfd8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0077.858] CloseHandle (hObject=0x364) returned 1 [0077.858] Sleep (dwMilliseconds=0x3e8) [0079.692] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x30c [0079.698] Process32FirstW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0079.700] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0079.701] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0079.707] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0079.708] lstrlenW (lpString="[System process]") returned 16 [0079.708] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0079.708] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0079.709] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0079.709] lstrlenW (lpString="[System process]") returned 16 [0079.709] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0079.709] lstrlenW (lpString="System") returned 6 [0079.710] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0079.710] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0079.711] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0079.711] lstrlenW (lpString="[System process]") returned 16 [0079.711] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0079.711] lstrlenW (lpString="System") returned 6 [0079.711] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0079.711] lstrlenW (lpString="smss.exe") returned 8 [0079.711] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0079.712] lstrlenW (lpString="dllhost.exe") returned 11 [0079.712] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0079.712] lstrlenW (lpString="svchost.exe") returned 11 [0079.712] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0079.712] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0079.713] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0079.714] lstrlenW (lpString="[System process]") returned 16 [0079.714] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0079.714] lstrlenW (lpString="System") returned 6 [0079.714] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0079.714] lstrlenW (lpString="smss.exe") returned 8 [0079.714] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0079.714] lstrlenW (lpString="dllhost.exe") returned 11 [0079.714] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0079.714] lstrlenW (lpString="svchost.exe") returned 11 [0079.714] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0079.714] lstrlenW (lpString="csrss.exe") returned 9 [0079.714] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0079.714] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.714] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0079.714] lstrlenW (lpString="WebServices.exe") returned 15 [0079.714] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0079.715] lstrlenW (lpString="cmd.exe") returned 7 [0079.715] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0079.715] lstrlenW (lpString="mstsc.exe") returned 9 [0079.715] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0079.715] lstrlenW (lpString="find.exe") returned 8 [0079.715] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0079.715] lstrlenW (lpString="conhost.exe") returned 11 [0079.715] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0079.715] lstrlenW (lpString="explorer.exe") returned 12 [0079.715] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0079.715] lstrlenW (lpString="ctfmon.exe") returned 10 [0079.715] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0079.715] lstrlenW (lpString="lsass.exe") returned 9 [0079.715] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0079.715] lstrlenW (lpString="services.exe") returned 12 [0079.715] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0079.715] lstrlenW (lpString="tasklist.exe") returned 12 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0079.716] lstrlenW (lpString="winlogon.exe") returned 12 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0079.716] lstrlenW (lpString="wmiprvse.exe") returned 12 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0079.716] lstrlenW (lpString="msdts.exe") returned 9 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0079.716] lstrlenW (lpString="bfsvc.exe") returned 9 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0079.716] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0079.716] lstrlenW (lpString="alg.exe") returned 7 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0079.716] lstrlenW (lpString="dwm.exe") returned 7 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0079.716] lstrlenW (lpString="issch.exe") returned 9 [0079.716] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0079.717] lstrlenW (lpString="rundll32.exe") returned 12 [0079.717] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0079.717] lstrlenW (lpString="spoolsv.exe") returned 11 [0079.717] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0079.717] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0079.718] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0079.719] lstrlenW (lpString="[System process]") returned 16 [0079.719] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0079.719] lstrlenW (lpString="System") returned 6 [0079.719] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0079.719] lstrlenW (lpString="smss.exe") returned 8 [0079.719] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0079.719] lstrlenW (lpString="dllhost.exe") returned 11 [0079.719] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0079.719] lstrlenW (lpString="svchost.exe") returned 11 [0079.719] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0079.720] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0079.721] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0079.721] lstrlenW (lpString="[System process]") returned 16 [0079.721] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0079.721] lstrlenW (lpString="System") returned 6 [0079.721] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0079.721] lstrlenW (lpString="smss.exe") returned 8 [0079.721] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0079.722] lstrlenW (lpString="dllhost.exe") returned 11 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0079.722] lstrlenW (lpString="svchost.exe") returned 11 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0079.722] lstrlenW (lpString="csrss.exe") returned 9 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0079.722] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0079.722] lstrlenW (lpString="WebServices.exe") returned 15 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0079.722] lstrlenW (lpString="cmd.exe") returned 7 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0079.722] lstrlenW (lpString="mstsc.exe") returned 9 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0079.722] lstrlenW (lpString="find.exe") returned 8 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0079.722] lstrlenW (lpString="conhost.exe") returned 11 [0079.722] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0079.723] lstrlenW (lpString="explorer.exe") returned 12 [0079.723] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0079.723] lstrlenW (lpString="ctfmon.exe") returned 10 [0079.723] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0079.723] lstrlenW (lpString="lsass.exe") returned 9 [0079.723] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0079.723] lstrlenW (lpString="services.exe") returned 12 [0079.723] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0079.723] lstrlenW (lpString="tasklist.exe") returned 12 [0079.723] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0079.723] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0079.728] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0079.728] lstrlenW (lpString="[System process]") returned 16 [0079.728] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0079.728] lstrlenW (lpString="System") returned 6 [0079.728] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0079.728] lstrlenW (lpString="smss.exe") returned 8 [0079.728] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0079.728] lstrlenW (lpString="dllhost.exe") returned 11 [0079.728] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0079.728] lstrlenW (lpString="svchost.exe") returned 11 [0079.728] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0079.728] lstrlenW (lpString="csrss.exe") returned 9 [0079.728] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0079.728] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.728] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0079.729] lstrlenW (lpString="WebServices.exe") returned 15 [0079.729] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0079.729] lstrlenW (lpString="cmd.exe") returned 7 [0079.729] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0079.729] lstrlenW (lpString="mstsc.exe") returned 9 [0079.729] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0079.729] lstrlenW (lpString="find.exe") returned 8 [0079.729] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0079.729] lstrlenW (lpString="conhost.exe") returned 11 [0079.729] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0079.729] lstrlenW (lpString="explorer.exe") returned 12 [0079.729] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0079.729] lstrlenW (lpString="ctfmon.exe") returned 10 [0079.729] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0079.729] lstrlenW (lpString="lsass.exe") returned 9 [0079.729] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0079.729] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0079.731] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0079.731] lstrlenW (lpString="[System process]") returned 16 [0079.731] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0079.732] lstrlenW (lpString="System") returned 6 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0079.732] lstrlenW (lpString="smss.exe") returned 8 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0079.732] lstrlenW (lpString="dllhost.exe") returned 11 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0079.732] lstrlenW (lpString="svchost.exe") returned 11 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0079.732] lstrlenW (lpString="csrss.exe") returned 9 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0079.732] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0079.732] lstrlenW (lpString="WebServices.exe") returned 15 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0079.732] lstrlenW (lpString="cmd.exe") returned 7 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0079.732] lstrlenW (lpString="mstsc.exe") returned 9 [0079.732] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0079.733] lstrlenW (lpString="find.exe") returned 8 [0079.733] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0079.733] lstrlenW (lpString="conhost.exe") returned 11 [0079.733] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0079.733] lstrlenW (lpString="explorer.exe") returned 12 [0079.733] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0079.733] lstrlenW (lpString="ctfmon.exe") returned 10 [0079.733] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0079.733] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.753] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.753] lstrlenW (lpString="[System process]") returned 16 [0079.753] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.753] lstrlenW (lpString="System") returned 6 [0079.753] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.753] lstrlenW (lpString="smss.exe") returned 8 [0079.753] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.753] lstrlenW (lpString="dllhost.exe") returned 11 [0079.753] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.753] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.756] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.756] lstrlenW (lpString="[System process]") returned 16 [0079.756] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.756] lstrlenW (lpString="System") returned 6 [0079.756] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.756] lstrlenW (lpString="smss.exe") returned 8 [0079.756] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.756] lstrlenW (lpString="dllhost.exe") returned 11 [0079.756] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.756] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0079.758] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0079.758] lstrlenW (lpString="[System process]") returned 16 [0079.758] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0079.759] lstrlenW (lpString="System") returned 6 [0079.759] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0079.759] lstrlenW (lpString="smss.exe") returned 8 [0079.759] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0079.759] lstrlenW (lpString="dllhost.exe") returned 11 [0079.759] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0079.759] lstrlenW (lpString="svchost.exe") returned 11 [0079.759] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0079.759] lstrlenW (lpString="csrss.exe") returned 9 [0079.759] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0079.759] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.759] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0079.759] lstrlenW (lpString="WebServices.exe") returned 15 [0079.759] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0079.759] lstrlenW (lpString="cmd.exe") returned 7 [0079.759] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0079.759] lstrlenW (lpString="mstsc.exe") returned 9 [0079.760] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0079.760] lstrlenW (lpString="find.exe") returned 8 [0079.760] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0079.760] lstrlenW (lpString="conhost.exe") returned 11 [0079.760] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0079.760] lstrlenW (lpString="explorer.exe") returned 12 [0079.760] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0079.760] lstrlenW (lpString="ctfmon.exe") returned 10 [0079.760] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0079.760] lstrlenW (lpString="lsass.exe") returned 9 [0079.760] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0079.760] lstrlenW (lpString="services.exe") returned 12 [0079.760] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0079.760] lstrlenW (lpString="tasklist.exe") returned 12 [0079.760] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0079.760] lstrlenW (lpString="winlogon.exe") returned 12 [0079.761] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0079.761] lstrlenW (lpString="wmiprvse.exe") returned 12 [0079.761] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0079.761] lstrlenW (lpString="msdts.exe") returned 9 [0079.761] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0079.761] lstrlenW (lpString="bfsvc.exe") returned 9 [0079.761] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0079.761] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0079.761] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0079.761] lstrlenW (lpString="alg.exe") returned 7 [0079.761] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0079.761] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.763] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.763] lstrlenW (lpString="[System process]") returned 16 [0079.763] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.763] lstrlenW (lpString="System") returned 6 [0079.763] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.763] lstrlenW (lpString="smss.exe") returned 8 [0079.763] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.764] lstrlenW (lpString="dllhost.exe") returned 11 [0079.764] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.764] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.765] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.765] lstrlenW (lpString="[System process]") returned 16 [0079.766] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.768] lstrlenW (lpString="System") returned 6 [0079.768] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.768] lstrlenW (lpString="smss.exe") returned 8 [0079.768] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.768] lstrlenW (lpString="dllhost.exe") returned 11 [0079.768] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.768] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.770] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.770] lstrlenW (lpString="[System process]") returned 16 [0079.770] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.770] lstrlenW (lpString="System") returned 6 [0079.770] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.770] lstrlenW (lpString="smss.exe") returned 8 [0079.770] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.770] lstrlenW (lpString="dllhost.exe") returned 11 [0079.770] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.770] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.772] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.772] lstrlenW (lpString="[System process]") returned 16 [0079.772] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.772] lstrlenW (lpString="System") returned 6 [0079.772] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.772] lstrlenW (lpString="smss.exe") returned 8 [0079.772] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.772] lstrlenW (lpString="dllhost.exe") returned 11 [0079.772] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.773] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.774] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.774] lstrlenW (lpString="[System process]") returned 16 [0079.774] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.774] lstrlenW (lpString="System") returned 6 [0079.774] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.775] lstrlenW (lpString="smss.exe") returned 8 [0079.775] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.775] lstrlenW (lpString="dllhost.exe") returned 11 [0079.775] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.775] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.776] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.776] lstrlenW (lpString="[System process]") returned 16 [0079.776] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.777] lstrlenW (lpString="System") returned 6 [0079.777] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.777] lstrlenW (lpString="smss.exe") returned 8 [0079.777] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.777] lstrlenW (lpString="dllhost.exe") returned 11 [0079.777] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.777] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0079.779] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0079.779] lstrlenW (lpString="[System process]") returned 16 [0079.779] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0079.779] lstrlenW (lpString="System") returned 6 [0079.779] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0079.779] lstrlenW (lpString="smss.exe") returned 8 [0079.779] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0079.779] lstrlenW (lpString="dllhost.exe") returned 11 [0079.779] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0079.780] lstrlenW (lpString="svchost.exe") returned 11 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0079.780] lstrlenW (lpString="csrss.exe") returned 9 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0079.780] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0079.780] lstrlenW (lpString="WebServices.exe") returned 15 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0079.780] lstrlenW (lpString="cmd.exe") returned 7 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0079.780] lstrlenW (lpString="mstsc.exe") returned 9 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0079.780] lstrlenW (lpString="find.exe") returned 8 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0079.780] lstrlenW (lpString="conhost.exe") returned 11 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0079.780] lstrlenW (lpString="explorer.exe") returned 12 [0079.780] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0079.781] lstrlenW (lpString="ctfmon.exe") returned 10 [0079.781] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0079.781] lstrlenW (lpString="lsass.exe") returned 9 [0079.781] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0079.781] lstrlenW (lpString="services.exe") returned 12 [0079.781] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0079.781] lstrlenW (lpString="tasklist.exe") returned 12 [0079.781] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0079.781] lstrlenW (lpString="winlogon.exe") returned 12 [0079.781] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0079.782] lstrlenW (lpString="wmiprvse.exe") returned 12 [0079.782] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0079.782] lstrlenW (lpString="msdts.exe") returned 9 [0079.782] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0079.782] lstrlenW (lpString="bfsvc.exe") returned 9 [0079.782] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0079.782] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0079.782] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0079.782] lstrlenW (lpString="alg.exe") returned 7 [0079.782] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0079.782] lstrlenW (lpString="dwm.exe") returned 7 [0079.782] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0079.782] lstrlenW (lpString="issch.exe") returned 9 [0079.782] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0079.782] lstrlenW (lpString="rundll32.exe") returned 12 [0079.783] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0079.783] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.784] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.784] lstrlenW (lpString="[System process]") returned 16 [0079.785] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.785] lstrlenW (lpString="System") returned 6 [0079.785] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.785] lstrlenW (lpString="smss.exe") returned 8 [0079.785] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.785] lstrlenW (lpString="dllhost.exe") returned 11 [0079.785] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.785] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.786] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.787] lstrlenW (lpString="[System process]") returned 16 [0079.787] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.787] lstrlenW (lpString="System") returned 6 [0079.787] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.787] lstrlenW (lpString="smss.exe") returned 8 [0079.787] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.787] lstrlenW (lpString="dllhost.exe") returned 11 [0079.787] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.787] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.791] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0079.791] lstrlenW (lpString="[System process]") returned 16 [0079.791] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0079.791] lstrlenW (lpString="System") returned 6 [0079.791] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0079.791] lstrlenW (lpString="smss.exe") returned 8 [0079.791] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0079.791] lstrlenW (lpString="dllhost.exe") returned 11 [0079.791] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0079.792] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0079.793] lstrcmpiW (lpString1="sihost.exe", lpString2="[System process]") returned 1 [0079.793] lstrlenW (lpString="[System process]") returned 16 [0079.793] lstrcmpiW (lpString1="sihost.exe", lpString2="System") returned -1 [0079.793] lstrlenW (lpString="System") returned 6 [0079.793] lstrcmpiW (lpString1="sihost.exe", lpString2="smss.exe") returned -1 [0079.793] lstrlenW (lpString="smss.exe") returned 8 [0079.793] lstrcmpiW (lpString1="sihost.exe", lpString2="dllhost.exe") returned 1 [0079.793] lstrlenW (lpString="dllhost.exe") returned 11 [0079.793] lstrcmpiW (lpString1="sihost.exe", lpString2="svchost.exe") returned -1 [0079.793] lstrlenW (lpString="svchost.exe") returned 11 [0079.793] lstrcmpiW (lpString1="sihost.exe", lpString2="csrss.exe") returned 1 [0079.794] lstrlenW (lpString="csrss.exe") returned 9 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0079.794] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="WebServices.exe") returned -1 [0079.794] lstrlenW (lpString="WebServices.exe") returned 15 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="cmd.exe") returned 1 [0079.794] lstrlenW (lpString="cmd.exe") returned 7 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="mstsc.exe") returned 1 [0079.794] lstrlenW (lpString="mstsc.exe") returned 9 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="find.exe") returned 1 [0079.794] lstrlenW (lpString="find.exe") returned 8 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="conhost.exe") returned 1 [0079.794] lstrlenW (lpString="conhost.exe") returned 11 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="explorer.exe") returned 1 [0079.794] lstrlenW (lpString="explorer.exe") returned 12 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="ctfmon.exe") returned 1 [0079.794] lstrlenW (lpString="ctfmon.exe") returned 10 [0079.794] lstrcmpiW (lpString1="sihost.exe", lpString2="lsass.exe") returned 1 [0079.795] lstrlenW (lpString="lsass.exe") returned 9 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="services.exe") returned 1 [0079.795] lstrlenW (lpString="services.exe") returned 12 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="tasklist.exe") returned -1 [0079.795] lstrlenW (lpString="tasklist.exe") returned 12 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="winlogon.exe") returned -1 [0079.795] lstrlenW (lpString="winlogon.exe") returned 12 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0079.795] lstrlenW (lpString="wmiprvse.exe") returned 12 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="msdts.exe") returned 1 [0079.795] lstrlenW (lpString="msdts.exe") returned 9 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="bfsvc.exe") returned 1 [0079.795] lstrlenW (lpString="bfsvc.exe") returned 9 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0079.795] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="alg.exe") returned 1 [0079.795] lstrlenW (lpString="alg.exe") returned 7 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="dwm.exe") returned 1 [0079.795] lstrlenW (lpString="dwm.exe") returned 7 [0079.795] lstrcmpiW (lpString1="sihost.exe", lpString2="issch.exe") returned 1 [0079.796] lstrlenW (lpString="issch.exe") returned 9 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="rundll32.exe") returned 1 [0079.796] lstrlenW (lpString="rundll32.exe") returned 12 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="spoolsv.exe") returned -1 [0079.796] lstrlenW (lpString="spoolsv.exe") returned 11 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="wininit.exe") returned -1 [0079.796] lstrlenW (lpString="wininit.exe") returned 11 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0079.796] lstrlenW (lpString="wmiprvse.exe") returned 12 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="wudfhost.exe") returned -1 [0079.796] lstrlenW (lpString="wudfhost.exe") returned 12 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="taskmgr.exe") returned -1 [0079.796] lstrlenW (lpString="taskmgr.exe") returned 11 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="rdpclip.exe") returned 1 [0079.796] lstrlenW (lpString="rdpclip.exe") returned 11 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="logonui.exe") returned 1 [0079.796] lstrlenW (lpString="logonui.exe") returned 11 [0079.796] lstrcmpiW (lpString1="sihost.exe", lpString2="lsm.exe") returned 1 [0079.797] lstrlenW (lpString="lsm.exe") returned 7 [0079.797] lstrcmpiW (lpString1="sihost.exe", lpString2="searchui.exe") returned 1 [0079.797] lstrlenW (lpString="searchui.exe") returned 12 [0079.797] lstrcmpiW (lpString1="sihost.exe", lpString2="searchindexer.exe") returned 1 [0079.805] lstrlenW (lpString="searchindexer.exe") returned 17 [0079.805] lstrcmpiW (lpString1="sihost.exe", lpString2="processhacker.exe") returned 1 [0079.805] lstrlenW (lpString="processhacker.exe") returned 17 [0079.806] lstrcmpiW (lpString1="sihost.exe", lpString2="getpassvord_x64.exe") returned 1 [0079.806] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0079.806] lstrcmpiW (lpString1="sihost.exe", lpString2="64.exe") returned 1 [0079.806] lstrlenW (lpString="64.exe") returned 6 [0079.806] lstrcmpiW (lpString1="sihost.exe", lpString2="32.exe") returned 1 [0079.806] lstrlenW (lpString="32.exe") returned 6 [0079.806] lstrcmpiW (lpString1="sihost.exe", lpString2="mshta.exe") returned 1 [0079.806] lstrlenW (lpString="mshta.exe") returned 9 [0079.806] lstrcmpiW (lpString1="sihost.exe", lpString2="fontdrvhost.exe") returned 1 [0079.806] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0079.806] lstrcmpiW (lpString1="sihost.exe", lpString2="sihost.exe") returned 0 [0079.806] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0079.808] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0079.809] lstrlenW (lpString="[System process]") returned 16 [0079.809] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0079.809] lstrlenW (lpString="System") returned 6 [0079.809] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0079.809] lstrlenW (lpString="smss.exe") returned 8 [0079.809] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0079.809] lstrlenW (lpString="dllhost.exe") returned 11 [0079.809] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0079.809] lstrlenW (lpString="svchost.exe") returned 11 [0079.809] lstrlenW (lpString="csrss.exe") returned 9 [0079.809] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.809] lstrlenW (lpString="WebServices.exe") returned 15 [0079.809] lstrlenW (lpString="cmd.exe") returned 7 [0079.809] lstrlenW (lpString="mstsc.exe") returned 9 [0079.810] lstrlenW (lpString="find.exe") returned 8 [0079.810] lstrlenW (lpString="conhost.exe") returned 11 [0079.810] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0079.811] lstrlenW (lpString="[System process]") returned 16 [0079.811] lstrlenW (lpString="System") returned 6 [0079.811] lstrlenW (lpString="smss.exe") returned 8 [0079.811] lstrlenW (lpString="dllhost.exe") returned 11 [0079.811] lstrlenW (lpString="svchost.exe") returned 11 [0079.811] lstrlenW (lpString="csrss.exe") returned 9 [0079.812] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0079.812] lstrlenW (lpString="WebServices.exe") returned 15 [0079.812] lstrlenW (lpString="cmd.exe") returned 7 [0079.812] lstrlenW (lpString="mstsc.exe") returned 9 [0079.812] lstrlenW (lpString="find.exe") returned 8 [0079.812] lstrlenW (lpString="conhost.exe") returned 11 [0079.812] lstrlenW (lpString="explorer.exe") returned 12 [0079.812] lstrlenW (lpString="ctfmon.exe") returned 10 [0079.812] lstrlenW (lpString="lsass.exe") returned 9 [0079.812] lstrlenW (lpString="services.exe") returned 12 [0079.812] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0079.814] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.815] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0079.817] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.819] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0079.820] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xfd8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0079.821] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0079.822] Process32NextW (in: hSnapshot=0x30c, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0079.823] CloseHandle (hObject=0x30c) returned 1 [0079.823] Sleep (dwMilliseconds=0x3e8) [0081.440] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x330 [0081.445] Process32FirstW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0081.446] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0081.448] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0081.449] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0081.450] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0081.451] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0081.452] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0081.453] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0081.454] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0081.456] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.457] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.458] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0081.459] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.460] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.461] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.462] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.463] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.464] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.465] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0081.466] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.467] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.468] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.469] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0081.470] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0081.472] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0081.473] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0081.474] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.228] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0083.231] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.233] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0083.234] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xfd8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0083.244] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0083.245] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0083.247] CloseHandle (hObject=0x330) returned 1 [0083.247] Sleep (dwMilliseconds=0x3e8) [0085.107] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x330 [0085.113] Process32FirstW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.115] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0085.118] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0085.120] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.121] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0085.124] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.125] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0085.126] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0085.128] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0085.129] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.130] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.132] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0085.133] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.135] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.136] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.137] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.138] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.140] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.143] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0085.145] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.484] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.485] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.486] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0085.488] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0085.489] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0085.497] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0085.499] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.500] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0085.502] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.506] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0085.507] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xfd8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0085.509] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0085.517] Process32NextW (in: hSnapshot=0x330, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0085.770] CloseHandle (hObject=0x330) returned 1 [0085.770] Sleep (dwMilliseconds=0x3e8) [0087.244] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x328 [0087.252] Process32FirstW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0087.253] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0087.255] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0087.256] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0087.257] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0087.258] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0087.259] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0087.261] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0087.263] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0087.264] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.266] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.269] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0087.270] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.271] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.272] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.273] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.274] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.275] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.277] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0087.278] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.279] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.281] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.283] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0087.284] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0087.285] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0087.286] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0087.287] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.288] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0087.289] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.356] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0087.358] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xfd8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0087.359] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0087.360] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0087.361] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xe14) returned 0x320 [0087.361] TerminateProcess (hProcess=0x320, uExitCode=0x0) returned 1 [0087.362] CloseHandle (hObject=0x320) returned 1 [0087.362] Process32NextW (in: hSnapshot=0x328, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 0 [0087.364] CloseHandle (hObject=0x328) returned 1 [0087.364] Sleep (dwMilliseconds=0x3e8) [0088.442] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x384 [0088.446] Process32FirstW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.448] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0088.448] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0088.449] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0088.449] lstrlenW (lpString="[System process]") returned 16 [0088.449] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0088.449] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0088.450] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0088.450] lstrlenW (lpString="[System process]") returned 16 [0088.450] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0088.451] lstrlenW (lpString="System") returned 6 [0088.451] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0088.451] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.452] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0088.452] lstrlenW (lpString="[System process]") returned 16 [0088.452] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0088.452] lstrlenW (lpString="System") returned 6 [0088.452] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0088.452] lstrlenW (lpString="smss.exe") returned 8 [0088.452] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0088.452] lstrlenW (lpString="dllhost.exe") returned 11 [0088.452] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0088.452] lstrlenW (lpString="svchost.exe") returned 11 [0088.453] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0088.453] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0088.454] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0088.454] lstrlenW (lpString="[System process]") returned 16 [0088.454] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0088.454] lstrlenW (lpString="System") returned 6 [0088.454] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0088.454] lstrlenW (lpString="smss.exe") returned 8 [0088.454] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0088.454] lstrlenW (lpString="dllhost.exe") returned 11 [0088.454] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0088.454] lstrlenW (lpString="svchost.exe") returned 11 [0088.454] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0088.454] lstrlenW (lpString="csrss.exe") returned 9 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0088.455] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0088.455] lstrlenW (lpString="WebServices.exe") returned 15 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0088.455] lstrlenW (lpString="cmd.exe") returned 7 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0088.455] lstrlenW (lpString="mstsc.exe") returned 9 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0088.455] lstrlenW (lpString="find.exe") returned 8 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0088.455] lstrlenW (lpString="conhost.exe") returned 11 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0088.455] lstrlenW (lpString="explorer.exe") returned 12 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0088.455] lstrlenW (lpString="ctfmon.exe") returned 10 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0088.455] lstrlenW (lpString="lsass.exe") returned 9 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0088.455] lstrlenW (lpString="services.exe") returned 12 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0088.455] lstrlenW (lpString="tasklist.exe") returned 12 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0088.455] lstrlenW (lpString="winlogon.exe") returned 12 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0088.455] lstrlenW (lpString="wmiprvse.exe") returned 12 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0088.455] lstrlenW (lpString="msdts.exe") returned 9 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0088.455] lstrlenW (lpString="bfsvc.exe") returned 9 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0088.455] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0088.455] lstrlenW (lpString="alg.exe") returned 7 [0088.455] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0088.456] lstrlenW (lpString="dwm.exe") returned 7 [0088.456] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0088.456] lstrlenW (lpString="issch.exe") returned 9 [0088.456] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0088.456] lstrlenW (lpString="rundll32.exe") returned 12 [0088.456] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0088.456] lstrlenW (lpString="spoolsv.exe") returned 11 [0088.456] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0088.456] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.457] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0088.457] lstrlenW (lpString="[System process]") returned 16 [0088.457] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0088.457] lstrlenW (lpString="System") returned 6 [0088.457] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0088.457] lstrlenW (lpString="smss.exe") returned 8 [0088.457] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0088.457] lstrlenW (lpString="dllhost.exe") returned 11 [0088.457] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0088.457] lstrlenW (lpString="svchost.exe") returned 11 [0088.458] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0088.458] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0088.459] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0088.459] lstrlenW (lpString="[System process]") returned 16 [0088.459] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0088.459] lstrlenW (lpString="System") returned 6 [0088.459] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0088.459] lstrlenW (lpString="smss.exe") returned 8 [0088.459] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0088.459] lstrlenW (lpString="dllhost.exe") returned 11 [0088.459] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0088.459] lstrlenW (lpString="svchost.exe") returned 11 [0088.459] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0088.459] lstrlenW (lpString="csrss.exe") returned 9 [0088.459] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0088.460] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0088.460] lstrlenW (lpString="WebServices.exe") returned 15 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0088.460] lstrlenW (lpString="cmd.exe") returned 7 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0088.460] lstrlenW (lpString="mstsc.exe") returned 9 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0088.460] lstrlenW (lpString="find.exe") returned 8 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0088.460] lstrlenW (lpString="conhost.exe") returned 11 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0088.460] lstrlenW (lpString="explorer.exe") returned 12 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0088.460] lstrlenW (lpString="ctfmon.exe") returned 10 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0088.460] lstrlenW (lpString="lsass.exe") returned 9 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0088.460] lstrlenW (lpString="services.exe") returned 12 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0088.460] lstrlenW (lpString="tasklist.exe") returned 12 [0088.460] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0088.460] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0088.462] lstrlenW (lpString="[System process]") returned 16 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0088.462] lstrlenW (lpString="System") returned 6 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0088.462] lstrlenW (lpString="smss.exe") returned 8 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0088.462] lstrlenW (lpString="dllhost.exe") returned 11 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0088.462] lstrlenW (lpString="svchost.exe") returned 11 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0088.462] lstrlenW (lpString="csrss.exe") returned 9 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0088.462] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0088.462] lstrlenW (lpString="WebServices.exe") returned 15 [0088.462] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0088.463] lstrlenW (lpString="cmd.exe") returned 7 [0088.463] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0088.463] lstrlenW (lpString="mstsc.exe") returned 9 [0088.463] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0088.463] lstrlenW (lpString="find.exe") returned 8 [0088.463] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0088.463] lstrlenW (lpString="conhost.exe") returned 11 [0088.463] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0088.463] lstrlenW (lpString="explorer.exe") returned 12 [0088.464] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0088.464] lstrlenW (lpString="ctfmon.exe") returned 10 [0088.464] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0088.464] lstrlenW (lpString="lsass.exe") returned 9 [0088.464] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0088.464] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0088.465] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0088.465] lstrlenW (lpString="[System process]") returned 16 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0088.466] lstrlenW (lpString="System") returned 6 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0088.466] lstrlenW (lpString="smss.exe") returned 8 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0088.466] lstrlenW (lpString="dllhost.exe") returned 11 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0088.466] lstrlenW (lpString="svchost.exe") returned 11 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0088.466] lstrlenW (lpString="csrss.exe") returned 9 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0088.466] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0088.466] lstrlenW (lpString="WebServices.exe") returned 15 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0088.466] lstrlenW (lpString="cmd.exe") returned 7 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0088.466] lstrlenW (lpString="mstsc.exe") returned 9 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0088.466] lstrlenW (lpString="find.exe") returned 8 [0088.466] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0088.467] lstrlenW (lpString="conhost.exe") returned 11 [0088.467] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0088.467] lstrlenW (lpString="explorer.exe") returned 12 [0088.467] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0088.467] lstrlenW (lpString="ctfmon.exe") returned 10 [0088.467] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0088.467] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.469] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.469] lstrlenW (lpString="[System process]") returned 16 [0088.469] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.469] lstrlenW (lpString="System") returned 6 [0088.469] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.469] lstrlenW (lpString="smss.exe") returned 8 [0088.469] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.469] lstrlenW (lpString="dllhost.exe") returned 11 [0088.469] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.469] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.470] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.470] lstrlenW (lpString="[System process]") returned 16 [0088.470] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.470] lstrlenW (lpString="System") returned 6 [0088.470] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.470] lstrlenW (lpString="smss.exe") returned 8 [0088.471] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.471] lstrlenW (lpString="dllhost.exe") returned 11 [0088.471] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.471] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0088.472] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0088.472] lstrlenW (lpString="[System process]") returned 16 [0088.472] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0088.472] lstrlenW (lpString="System") returned 6 [0088.472] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0088.472] lstrlenW (lpString="smss.exe") returned 8 [0088.472] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0088.472] lstrlenW (lpString="dllhost.exe") returned 11 [0088.472] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0088.472] lstrlenW (lpString="svchost.exe") returned 11 [0088.472] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0088.472] lstrlenW (lpString="csrss.exe") returned 9 [0088.472] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0088.473] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0088.473] lstrlenW (lpString="WebServices.exe") returned 15 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0088.473] lstrlenW (lpString="cmd.exe") returned 7 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0088.473] lstrlenW (lpString="mstsc.exe") returned 9 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0088.473] lstrlenW (lpString="find.exe") returned 8 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0088.473] lstrlenW (lpString="conhost.exe") returned 11 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0088.473] lstrlenW (lpString="explorer.exe") returned 12 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0088.473] lstrlenW (lpString="ctfmon.exe") returned 10 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0088.473] lstrlenW (lpString="lsass.exe") returned 9 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0088.473] lstrlenW (lpString="services.exe") returned 12 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0088.473] lstrlenW (lpString="tasklist.exe") returned 12 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0088.473] lstrlenW (lpString="winlogon.exe") returned 12 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0088.473] lstrlenW (lpString="wmiprvse.exe") returned 12 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0088.473] lstrlenW (lpString="msdts.exe") returned 9 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0088.473] lstrlenW (lpString="bfsvc.exe") returned 9 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0088.473] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0088.473] lstrlenW (lpString="alg.exe") returned 7 [0088.473] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0088.473] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.475] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.475] lstrlenW (lpString="[System process]") returned 16 [0088.475] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.475] lstrlenW (lpString="System") returned 6 [0088.475] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.475] lstrlenW (lpString="smss.exe") returned 8 [0088.475] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.475] lstrlenW (lpString="dllhost.exe") returned 11 [0088.475] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.475] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.476] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.476] lstrlenW (lpString="[System process]") returned 16 [0088.476] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.477] lstrlenW (lpString="System") returned 6 [0088.477] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.477] lstrlenW (lpString="smss.exe") returned 8 [0088.477] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.477] lstrlenW (lpString="dllhost.exe") returned 11 [0088.477] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.477] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.478] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.478] lstrlenW (lpString="[System process]") returned 16 [0088.478] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.478] lstrlenW (lpString="System") returned 6 [0088.478] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.478] lstrlenW (lpString="smss.exe") returned 8 [0088.478] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.478] lstrlenW (lpString="dllhost.exe") returned 11 [0088.478] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.478] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.479] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.479] lstrlenW (lpString="[System process]") returned 16 [0088.479] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.479] lstrlenW (lpString="System") returned 6 [0088.480] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.480] lstrlenW (lpString="smss.exe") returned 8 [0088.480] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.480] lstrlenW (lpString="dllhost.exe") returned 11 [0088.480] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.480] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.481] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.481] lstrlenW (lpString="[System process]") returned 16 [0088.481] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.481] lstrlenW (lpString="System") returned 6 [0088.481] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.481] lstrlenW (lpString="smss.exe") returned 8 [0088.481] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.481] lstrlenW (lpString="dllhost.exe") returned 11 [0088.481] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.481] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.810] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.810] lstrlenW (lpString="[System process]") returned 16 [0088.810] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.810] lstrlenW (lpString="System") returned 6 [0088.810] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.810] lstrlenW (lpString="smss.exe") returned 8 [0088.810] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.810] lstrlenW (lpString="dllhost.exe") returned 11 [0088.810] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.810] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0088.821] lstrlenW (lpString="[System process]") returned 16 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0088.821] lstrlenW (lpString="System") returned 6 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0088.821] lstrlenW (lpString="smss.exe") returned 8 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0088.821] lstrlenW (lpString="dllhost.exe") returned 11 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0088.821] lstrlenW (lpString="svchost.exe") returned 11 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0088.821] lstrlenW (lpString="csrss.exe") returned 9 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0088.821] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0088.821] lstrlenW (lpString="WebServices.exe") returned 15 [0088.821] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0088.821] lstrlenW (lpString="cmd.exe") returned 7 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0088.822] lstrlenW (lpString="mstsc.exe") returned 9 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0088.822] lstrlenW (lpString="find.exe") returned 8 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0088.822] lstrlenW (lpString="conhost.exe") returned 11 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0088.822] lstrlenW (lpString="explorer.exe") returned 12 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0088.822] lstrlenW (lpString="ctfmon.exe") returned 10 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0088.822] lstrlenW (lpString="lsass.exe") returned 9 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0088.822] lstrlenW (lpString="services.exe") returned 12 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0088.822] lstrlenW (lpString="tasklist.exe") returned 12 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0088.822] lstrlenW (lpString="winlogon.exe") returned 12 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0088.822] lstrlenW (lpString="wmiprvse.exe") returned 12 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0088.822] lstrlenW (lpString="msdts.exe") returned 9 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0088.822] lstrlenW (lpString="bfsvc.exe") returned 9 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0088.822] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0088.822] lstrlenW (lpString="alg.exe") returned 7 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0088.822] lstrlenW (lpString="dwm.exe") returned 7 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0088.822] lstrlenW (lpString="issch.exe") returned 9 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0088.822] lstrlenW (lpString="rundll32.exe") returned 12 [0088.822] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0088.822] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.824] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.824] lstrlenW (lpString="[System process]") returned 16 [0088.824] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.824] lstrlenW (lpString="System") returned 6 [0088.824] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.824] lstrlenW (lpString="smss.exe") returned 8 [0088.824] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.824] lstrlenW (lpString="dllhost.exe") returned 11 [0088.824] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.824] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.836] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.837] lstrlenW (lpString="[System process]") returned 16 [0088.837] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.837] lstrlenW (lpString="System") returned 6 [0088.837] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.837] lstrlenW (lpString="smss.exe") returned 8 [0088.847] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.847] lstrlenW (lpString="dllhost.exe") returned 11 [0088.847] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.847] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.849] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0088.849] lstrlenW (lpString="[System process]") returned 16 [0088.849] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0088.849] lstrlenW (lpString="System") returned 6 [0088.849] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0088.849] lstrlenW (lpString="smss.exe") returned 8 [0088.849] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0088.849] lstrlenW (lpString="dllhost.exe") returned 11 [0088.849] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0088.849] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0088.851] lstrcmpiW (lpString1="sihost.exe", lpString2="[System process]") returned 1 [0088.851] lstrlenW (lpString="[System process]") returned 16 [0088.851] lstrcmpiW (lpString1="sihost.exe", lpString2="System") returned -1 [0088.851] lstrlenW (lpString="System") returned 6 [0088.851] lstrcmpiW (lpString1="sihost.exe", lpString2="smss.exe") returned -1 [0088.851] lstrlenW (lpString="smss.exe") returned 8 [0088.851] lstrcmpiW (lpString1="sihost.exe", lpString2="dllhost.exe") returned 1 [0088.851] lstrlenW (lpString="dllhost.exe") returned 11 [0088.851] lstrcmpiW (lpString1="sihost.exe", lpString2="svchost.exe") returned -1 [0088.851] lstrlenW (lpString="svchost.exe") returned 11 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="csrss.exe") returned 1 [0088.852] lstrlenW (lpString="csrss.exe") returned 9 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0088.852] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="WebServices.exe") returned -1 [0088.852] lstrlenW (lpString="WebServices.exe") returned 15 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="cmd.exe") returned 1 [0088.852] lstrlenW (lpString="cmd.exe") returned 7 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="mstsc.exe") returned 1 [0088.852] lstrlenW (lpString="mstsc.exe") returned 9 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="find.exe") returned 1 [0088.852] lstrlenW (lpString="find.exe") returned 8 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="conhost.exe") returned 1 [0088.852] lstrlenW (lpString="conhost.exe") returned 11 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="explorer.exe") returned 1 [0088.852] lstrlenW (lpString="explorer.exe") returned 12 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="ctfmon.exe") returned 1 [0088.852] lstrlenW (lpString="ctfmon.exe") returned 10 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="lsass.exe") returned 1 [0088.852] lstrlenW (lpString="lsass.exe") returned 9 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="services.exe") returned 1 [0088.852] lstrlenW (lpString="services.exe") returned 12 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="tasklist.exe") returned -1 [0088.852] lstrlenW (lpString="tasklist.exe") returned 12 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="winlogon.exe") returned -1 [0088.852] lstrlenW (lpString="winlogon.exe") returned 12 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0088.852] lstrlenW (lpString="wmiprvse.exe") returned 12 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="msdts.exe") returned 1 [0088.852] lstrlenW (lpString="msdts.exe") returned 9 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="bfsvc.exe") returned 1 [0088.852] lstrlenW (lpString="bfsvc.exe") returned 9 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0088.852] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0088.852] lstrcmpiW (lpString1="sihost.exe", lpString2="alg.exe") returned 1 [0088.853] lstrlenW (lpString="alg.exe") returned 7 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="dwm.exe") returned 1 [0088.853] lstrlenW (lpString="dwm.exe") returned 7 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="issch.exe") returned 1 [0088.853] lstrlenW (lpString="issch.exe") returned 9 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="rundll32.exe") returned 1 [0088.853] lstrlenW (lpString="rundll32.exe") returned 12 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="spoolsv.exe") returned -1 [0088.853] lstrlenW (lpString="spoolsv.exe") returned 11 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="wininit.exe") returned -1 [0088.853] lstrlenW (lpString="wininit.exe") returned 11 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0088.853] lstrlenW (lpString="wmiprvse.exe") returned 12 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="wudfhost.exe") returned -1 [0088.853] lstrlenW (lpString="wudfhost.exe") returned 12 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="taskmgr.exe") returned -1 [0088.853] lstrlenW (lpString="taskmgr.exe") returned 11 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="rdpclip.exe") returned 1 [0088.853] lstrlenW (lpString="rdpclip.exe") returned 11 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="logonui.exe") returned 1 [0088.853] lstrlenW (lpString="logonui.exe") returned 11 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="lsm.exe") returned 1 [0088.853] lstrlenW (lpString="lsm.exe") returned 7 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="searchui.exe") returned 1 [0088.853] lstrlenW (lpString="searchui.exe") returned 12 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="searchindexer.exe") returned 1 [0088.853] lstrlenW (lpString="searchindexer.exe") returned 17 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="processhacker.exe") returned 1 [0088.853] lstrlenW (lpString="processhacker.exe") returned 17 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="getpassvord_x64.exe") returned 1 [0088.853] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="64.exe") returned 1 [0088.853] lstrlenW (lpString="64.exe") returned 6 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="32.exe") returned 1 [0088.853] lstrlenW (lpString="32.exe") returned 6 [0088.853] lstrcmpiW (lpString1="sihost.exe", lpString2="mshta.exe") returned 1 [0088.854] lstrlenW (lpString="mshta.exe") returned 9 [0088.854] lstrcmpiW (lpString1="sihost.exe", lpString2="fontdrvhost.exe") returned 1 [0088.854] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0088.854] lstrcmpiW (lpString1="sihost.exe", lpString2="sihost.exe") returned 0 [0088.854] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0088.856] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0088.856] lstrlenW (lpString="[System process]") returned 16 [0088.856] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0088.856] lstrlenW (lpString="System") returned 6 [0088.856] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0088.856] lstrlenW (lpString="smss.exe") returned 8 [0088.856] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0088.856] lstrlenW (lpString="dllhost.exe") returned 11 [0088.856] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0088.856] lstrlenW (lpString="svchost.exe") returned 11 [0088.856] lstrlenW (lpString="csrss.exe") returned 9 [0088.856] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.856] lstrlenW (lpString="WebServices.exe") returned 15 [0088.856] lstrlenW (lpString="cmd.exe") returned 7 [0088.856] lstrlenW (lpString="mstsc.exe") returned 9 [0088.857] lstrlenW (lpString="find.exe") returned 8 [0088.857] lstrlenW (lpString="conhost.exe") returned 11 [0088.857] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0088.862] lstrlenW (lpString="[System process]") returned 16 [0088.863] lstrlenW (lpString="System") returned 6 [0088.863] lstrlenW (lpString="smss.exe") returned 8 [0088.863] lstrlenW (lpString="dllhost.exe") returned 11 [0088.863] lstrlenW (lpString="svchost.exe") returned 11 [0088.863] lstrlenW (lpString="csrss.exe") returned 9 [0088.863] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0088.863] lstrlenW (lpString="WebServices.exe") returned 15 [0088.863] lstrlenW (lpString="cmd.exe") returned 7 [0088.863] lstrlenW (lpString="mstsc.exe") returned 9 [0088.863] lstrlenW (lpString="find.exe") returned 8 [0088.863] lstrlenW (lpString="conhost.exe") returned 11 [0088.863] lstrlenW (lpString="explorer.exe") returned 12 [0088.863] lstrlenW (lpString="ctfmon.exe") returned 10 [0088.863] lstrlenW (lpString="lsass.exe") returned 9 [0088.863] lstrlenW (lpString="services.exe") returned 12 [0088.863] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0088.865] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.867] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x45, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CRYPT.EXE")) returned 1 [0088.869] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.871] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0088.873] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xfd8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0088.875] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xcc0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0088.876] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0089.752] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xe14) returned 0x310 [0089.752] TerminateProcess (hProcess=0x310, uExitCode=0x0) returned 0 [0089.752] CloseHandle (hObject=0x310) returned 1 [0089.752] Process32NextW (in: hSnapshot=0x384, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 0 [0089.755] CloseHandle (hObject=0x384) returned 1 [0089.755] Sleep (dwMilliseconds=0x3e8) [0090.997] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f0 [0091.013] Process32FirstW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.018] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0091.018] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0091.022] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0091.023] lstrlenW (lpString="[System process]") returned 16 [0091.023] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0091.023] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0091.027] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0091.027] lstrlenW (lpString="[System process]") returned 16 [0091.027] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0091.027] lstrlenW (lpString="System") returned 6 [0091.027] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0091.027] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.163] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0093.163] lstrlenW (lpString="[System process]") returned 16 [0093.163] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0093.163] lstrlenW (lpString="System") returned 6 [0093.163] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0093.163] lstrlenW (lpString="smss.exe") returned 8 [0093.163] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0093.163] lstrlenW (lpString="dllhost.exe") returned 11 [0093.163] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0093.163] lstrlenW (lpString="svchost.exe") returned 11 [0093.163] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0093.163] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0093.170] lstrlenW (lpString="[System process]") returned 16 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0093.170] lstrlenW (lpString="System") returned 6 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0093.170] lstrlenW (lpString="smss.exe") returned 8 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0093.170] lstrlenW (lpString="dllhost.exe") returned 11 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0093.170] lstrlenW (lpString="svchost.exe") returned 11 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0093.170] lstrlenW (lpString="csrss.exe") returned 9 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0093.170] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0093.170] lstrlenW (lpString="WebServices.exe") returned 15 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0093.170] lstrlenW (lpString="cmd.exe") returned 7 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0093.170] lstrlenW (lpString="mstsc.exe") returned 9 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0093.170] lstrlenW (lpString="find.exe") returned 8 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0093.170] lstrlenW (lpString="conhost.exe") returned 11 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0093.170] lstrlenW (lpString="explorer.exe") returned 12 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0093.170] lstrlenW (lpString="ctfmon.exe") returned 10 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0093.170] lstrlenW (lpString="lsass.exe") returned 9 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0093.170] lstrlenW (lpString="services.exe") returned 12 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0093.170] lstrlenW (lpString="tasklist.exe") returned 12 [0093.170] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0093.171] lstrlenW (lpString="winlogon.exe") returned 12 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0093.171] lstrlenW (lpString="wmiprvse.exe") returned 12 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0093.171] lstrlenW (lpString="msdts.exe") returned 9 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0093.171] lstrlenW (lpString="bfsvc.exe") returned 9 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0093.171] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0093.171] lstrlenW (lpString="alg.exe") returned 7 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0093.171] lstrlenW (lpString="dwm.exe") returned 7 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0093.171] lstrlenW (lpString="issch.exe") returned 9 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0093.171] lstrlenW (lpString="rundll32.exe") returned 12 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0093.171] lstrlenW (lpString="spoolsv.exe") returned 11 [0093.171] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0093.171] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.178] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0093.178] lstrlenW (lpString="[System process]") returned 16 [0093.178] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0093.178] lstrlenW (lpString="System") returned 6 [0093.178] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0093.178] lstrlenW (lpString="smss.exe") returned 8 [0093.178] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0093.178] lstrlenW (lpString="dllhost.exe") returned 11 [0093.178] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0093.178] lstrlenW (lpString="svchost.exe") returned 11 [0093.178] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0093.178] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0093.185] lstrlenW (lpString="[System process]") returned 16 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0093.185] lstrlenW (lpString="System") returned 6 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0093.185] lstrlenW (lpString="smss.exe") returned 8 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0093.185] lstrlenW (lpString="dllhost.exe") returned 11 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0093.185] lstrlenW (lpString="svchost.exe") returned 11 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0093.185] lstrlenW (lpString="csrss.exe") returned 9 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0093.185] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0093.185] lstrlenW (lpString="WebServices.exe") returned 15 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0093.185] lstrlenW (lpString="cmd.exe") returned 7 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0093.185] lstrlenW (lpString="mstsc.exe") returned 9 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0093.185] lstrlenW (lpString="find.exe") returned 8 [0093.185] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0093.185] lstrlenW (lpString="conhost.exe") returned 11 [0093.186] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0093.186] lstrlenW (lpString="explorer.exe") returned 12 [0093.186] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0093.186] lstrlenW (lpString="ctfmon.exe") returned 10 [0093.186] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0093.186] lstrlenW (lpString="lsass.exe") returned 9 [0093.186] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0093.186] lstrlenW (lpString="services.exe") returned 12 [0093.186] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0093.186] lstrlenW (lpString="tasklist.exe") returned 12 [0093.186] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0093.186] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0093.197] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0093.197] lstrlenW (lpString="[System process]") returned 16 [0093.197] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0093.197] lstrlenW (lpString="System") returned 6 [0093.197] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0093.198] lstrlenW (lpString="smss.exe") returned 8 [0093.198] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0093.198] lstrlenW (lpString="dllhost.exe") returned 11 [0093.198] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0093.198] lstrlenW (lpString="svchost.exe") returned 11 [0093.198] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0093.198] lstrlenW (lpString="csrss.exe") returned 9 [0093.198] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0093.198] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0093.199] lstrlenW (lpString="WebServices.exe") returned 15 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0093.199] lstrlenW (lpString="cmd.exe") returned 7 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0093.199] lstrlenW (lpString="mstsc.exe") returned 9 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0093.199] lstrlenW (lpString="find.exe") returned 8 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0093.199] lstrlenW (lpString="conhost.exe") returned 11 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0093.199] lstrlenW (lpString="explorer.exe") returned 12 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0093.199] lstrlenW (lpString="ctfmon.exe") returned 10 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0093.199] lstrlenW (lpString="lsass.exe") returned 9 [0093.199] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0093.199] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0094.225] lstrlenW (lpString="[System process]") returned 16 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0094.225] lstrlenW (lpString="System") returned 6 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0094.225] lstrlenW (lpString="smss.exe") returned 8 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0094.225] lstrlenW (lpString="dllhost.exe") returned 11 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0094.225] lstrlenW (lpString="svchost.exe") returned 11 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0094.225] lstrlenW (lpString="csrss.exe") returned 9 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0094.225] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0094.225] lstrlenW (lpString="WebServices.exe") returned 15 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0094.225] lstrlenW (lpString="cmd.exe") returned 7 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0094.225] lstrlenW (lpString="mstsc.exe") returned 9 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0094.225] lstrlenW (lpString="find.exe") returned 8 [0094.225] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0094.225] lstrlenW (lpString="conhost.exe") returned 11 [0094.226] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0094.226] lstrlenW (lpString="explorer.exe") returned 12 [0094.226] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0094.226] lstrlenW (lpString="ctfmon.exe") returned 10 [0094.226] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0094.226] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.232] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0094.232] lstrlenW (lpString="[System process]") returned 16 [0094.233] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0094.233] lstrlenW (lpString="System") returned 6 [0094.233] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0094.233] lstrlenW (lpString="smss.exe") returned 8 [0094.233] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0094.233] lstrlenW (lpString="dllhost.exe") returned 11 [0094.233] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0094.233] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.239] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0094.239] lstrlenW (lpString="[System process]") returned 16 [0094.239] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0094.239] lstrlenW (lpString="System") returned 6 [0094.239] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0094.239] lstrlenW (lpString="smss.exe") returned 8 [0094.239] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0094.239] lstrlenW (lpString="dllhost.exe") returned 11 [0094.239] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0094.239] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0094.246] lstrlenW (lpString="[System process]") returned 16 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0094.246] lstrlenW (lpString="System") returned 6 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0094.246] lstrlenW (lpString="smss.exe") returned 8 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0094.246] lstrlenW (lpString="dllhost.exe") returned 11 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0094.246] lstrlenW (lpString="svchost.exe") returned 11 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0094.246] lstrlenW (lpString="csrss.exe") returned 9 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0094.246] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0094.246] lstrlenW (lpString="WebServices.exe") returned 15 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0094.246] lstrlenW (lpString="cmd.exe") returned 7 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0094.246] lstrlenW (lpString="mstsc.exe") returned 9 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0094.246] lstrlenW (lpString="find.exe") returned 8 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0094.246] lstrlenW (lpString="conhost.exe") returned 11 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0094.246] lstrlenW (lpString="explorer.exe") returned 12 [0094.246] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0094.247] lstrlenW (lpString="ctfmon.exe") returned 10 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0094.247] lstrlenW (lpString="lsass.exe") returned 9 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0094.247] lstrlenW (lpString="services.exe") returned 12 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0094.247] lstrlenW (lpString="tasklist.exe") returned 12 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0094.247] lstrlenW (lpString="winlogon.exe") returned 12 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0094.247] lstrlenW (lpString="wmiprvse.exe") returned 12 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0094.247] lstrlenW (lpString="msdts.exe") returned 9 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0094.247] lstrlenW (lpString="bfsvc.exe") returned 9 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0094.247] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0094.247] lstrlenW (lpString="alg.exe") returned 7 [0094.247] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0094.247] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.253] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0094.253] lstrlenW (lpString="[System process]") returned 16 [0094.253] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0094.253] lstrlenW (lpString="System") returned 6 [0094.253] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0094.253] lstrlenW (lpString="smss.exe") returned 8 [0094.253] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0094.253] lstrlenW (lpString="dllhost.exe") returned 11 [0094.253] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0094.253] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.325] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0094.325] lstrlenW (lpString="[System process]") returned 16 [0094.325] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0094.325] lstrlenW (lpString="System") returned 6 [0094.325] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0094.325] lstrlenW (lpString="smss.exe") returned 8 [0094.325] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0094.325] lstrlenW (lpString="dllhost.exe") returned 11 [0094.325] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0094.325] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.333] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0094.333] lstrlenW (lpString="[System process]") returned 16 [0094.333] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0094.333] lstrlenW (lpString="System") returned 6 [0094.333] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0094.333] lstrlenW (lpString="smss.exe") returned 8 [0094.333] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0094.333] lstrlenW (lpString="dllhost.exe") returned 11 [0094.333] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0094.333] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.370] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0094.370] lstrlenW (lpString="[System process]") returned 16 [0094.370] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0094.370] lstrlenW (lpString="System") returned 6 [0094.370] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0094.370] lstrlenW (lpString="smss.exe") returned 8 [0094.370] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0094.370] lstrlenW (lpString="dllhost.exe") returned 11 [0094.370] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0094.370] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.376] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0094.376] lstrlenW (lpString="[System process]") returned 16 [0094.376] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0094.376] lstrlenW (lpString="System") returned 6 [0094.376] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0094.376] lstrlenW (lpString="smss.exe") returned 8 [0094.376] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0094.376] lstrlenW (lpString="dllhost.exe") returned 11 [0094.376] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0094.376] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.382] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0094.382] lstrlenW (lpString="[System process]") returned 16 [0094.382] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0094.382] lstrlenW (lpString="System") returned 6 [0094.382] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0094.382] lstrlenW (lpString="smss.exe") returned 8 [0094.382] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0094.382] lstrlenW (lpString="dllhost.exe") returned 11 [0094.382] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0094.382] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0096.049] lstrcmpiW (lpString1="spoolsv.exe", lpString2="[System process]") returned 1 [0096.049] lstrlenW (lpString="[System process]") returned 16 [0096.049] lstrcmpiW (lpString1="spoolsv.exe", lpString2="System") returned -1 [0096.049] lstrlenW (lpString="System") returned 6 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="smss.exe") returned 1 [0096.050] lstrlenW (lpString="smss.exe") returned 8 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dllhost.exe") returned 1 [0096.050] lstrlenW (lpString="dllhost.exe") returned 11 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="svchost.exe") returned -1 [0096.050] lstrlenW (lpString="svchost.exe") returned 11 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="csrss.exe") returned 1 [0096.050] lstrlenW (lpString="csrss.exe") returned 9 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0096.050] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="WebServices.exe") returned -1 [0096.050] lstrlenW (lpString="WebServices.exe") returned 15 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="cmd.exe") returned 1 [0096.050] lstrlenW (lpString="cmd.exe") returned 7 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="mstsc.exe") returned 1 [0096.050] lstrlenW (lpString="mstsc.exe") returned 9 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="find.exe") returned 1 [0096.050] lstrlenW (lpString="find.exe") returned 8 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="conhost.exe") returned 1 [0096.050] lstrlenW (lpString="conhost.exe") returned 11 [0096.050] lstrcmpiW (lpString1="spoolsv.exe", lpString2="explorer.exe") returned 1 [0096.051] lstrlenW (lpString="explorer.exe") returned 12 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="ctfmon.exe") returned 1 [0096.051] lstrlenW (lpString="ctfmon.exe") returned 10 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="lsass.exe") returned 1 [0096.051] lstrlenW (lpString="lsass.exe") returned 9 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="services.exe") returned 1 [0096.051] lstrlenW (lpString="services.exe") returned 12 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="tasklist.exe") returned -1 [0096.051] lstrlenW (lpString="tasklist.exe") returned 12 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="winlogon.exe") returned -1 [0096.051] lstrlenW (lpString="winlogon.exe") returned 12 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="wmiprvse.exe") returned -1 [0096.051] lstrlenW (lpString="wmiprvse.exe") returned 12 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msdts.exe") returned 1 [0096.051] lstrlenW (lpString="msdts.exe") returned 9 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="bfsvc.exe") returned 1 [0096.051] lstrlenW (lpString="bfsvc.exe") returned 9 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0096.051] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="alg.exe") returned 1 [0096.051] lstrlenW (lpString="alg.exe") returned 7 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="dwm.exe") returned 1 [0096.051] lstrlenW (lpString="dwm.exe") returned 7 [0096.051] lstrcmpiW (lpString1="spoolsv.exe", lpString2="issch.exe") returned 1 [0096.051] lstrlenW (lpString="issch.exe") returned 9 [0096.052] lstrcmpiW (lpString1="spoolsv.exe", lpString2="rundll32.exe") returned 1 [0096.052] lstrlenW (lpString="rundll32.exe") returned 12 [0096.052] lstrcmpiW (lpString1="spoolsv.exe", lpString2="spoolsv.exe") returned 0 [0096.052] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.057] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0096.057] lstrlenW (lpString="[System process]") returned 16 [0096.057] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0096.058] lstrlenW (lpString="System") returned 6 [0096.058] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0096.058] lstrlenW (lpString="smss.exe") returned 8 [0096.058] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0096.058] lstrlenW (lpString="dllhost.exe") returned 11 [0096.058] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0096.058] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.433] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0096.433] lstrlenW (lpString="[System process]") returned 16 [0096.433] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0096.434] lstrlenW (lpString="System") returned 6 [0096.434] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0096.434] lstrlenW (lpString="smss.exe") returned 8 [0096.434] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0096.434] lstrlenW (lpString="dllhost.exe") returned 11 [0096.434] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0096.434] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.444] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0096.444] lstrlenW (lpString="[System process]") returned 16 [0096.444] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0096.444] lstrlenW (lpString="System") returned 6 [0096.444] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0096.444] lstrlenW (lpString="smss.exe") returned 8 [0096.444] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0096.444] lstrlenW (lpString="dllhost.exe") returned 11 [0096.444] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0096.444] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0096.451] lstrcmpiW (lpString1="sihost.exe", lpString2="[System process]") returned 1 [0096.451] lstrlenW (lpString="[System process]") returned 16 [0096.451] lstrcmpiW (lpString1="sihost.exe", lpString2="System") returned -1 [0096.451] lstrlenW (lpString="System") returned 6 [0096.451] lstrcmpiW (lpString1="sihost.exe", lpString2="smss.exe") returned -1 [0096.451] lstrlenW (lpString="smss.exe") returned 8 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="dllhost.exe") returned 1 [0096.452] lstrlenW (lpString="dllhost.exe") returned 11 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="svchost.exe") returned -1 [0096.452] lstrlenW (lpString="svchost.exe") returned 11 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="csrss.exe") returned 1 [0096.452] lstrlenW (lpString="csrss.exe") returned 9 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0096.452] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="WebServices.exe") returned -1 [0096.452] lstrlenW (lpString="WebServices.exe") returned 15 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="cmd.exe") returned 1 [0096.452] lstrlenW (lpString="cmd.exe") returned 7 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="mstsc.exe") returned 1 [0096.452] lstrlenW (lpString="mstsc.exe") returned 9 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="find.exe") returned 1 [0096.452] lstrlenW (lpString="find.exe") returned 8 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="conhost.exe") returned 1 [0096.452] lstrlenW (lpString="conhost.exe") returned 11 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="explorer.exe") returned 1 [0096.452] lstrlenW (lpString="explorer.exe") returned 12 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="ctfmon.exe") returned 1 [0096.452] lstrlenW (lpString="ctfmon.exe") returned 10 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="lsass.exe") returned 1 [0096.452] lstrlenW (lpString="lsass.exe") returned 9 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="services.exe") returned 1 [0096.452] lstrlenW (lpString="services.exe") returned 12 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="tasklist.exe") returned -1 [0096.452] lstrlenW (lpString="tasklist.exe") returned 12 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="winlogon.exe") returned -1 [0096.452] lstrlenW (lpString="winlogon.exe") returned 12 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0096.452] lstrlenW (lpString="wmiprvse.exe") returned 12 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="msdts.exe") returned 1 [0096.452] lstrlenW (lpString="msdts.exe") returned 9 [0096.452] lstrcmpiW (lpString1="sihost.exe", lpString2="bfsvc.exe") returned 1 [0096.453] lstrlenW (lpString="bfsvc.exe") returned 9 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0096.453] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="alg.exe") returned 1 [0096.453] lstrlenW (lpString="alg.exe") returned 7 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="dwm.exe") returned 1 [0096.453] lstrlenW (lpString="dwm.exe") returned 7 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="issch.exe") returned 1 [0096.453] lstrlenW (lpString="issch.exe") returned 9 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="rundll32.exe") returned 1 [0096.453] lstrlenW (lpString="rundll32.exe") returned 12 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="spoolsv.exe") returned -1 [0096.453] lstrlenW (lpString="spoolsv.exe") returned 11 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="wininit.exe") returned -1 [0096.453] lstrlenW (lpString="wininit.exe") returned 11 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="wmiprvse.exe") returned -1 [0096.453] lstrlenW (lpString="wmiprvse.exe") returned 12 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="wudfhost.exe") returned -1 [0096.453] lstrlenW (lpString="wudfhost.exe") returned 12 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="taskmgr.exe") returned -1 [0096.453] lstrlenW (lpString="taskmgr.exe") returned 11 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="rdpclip.exe") returned 1 [0096.453] lstrlenW (lpString="rdpclip.exe") returned 11 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="logonui.exe") returned 1 [0096.453] lstrlenW (lpString="logonui.exe") returned 11 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="lsm.exe") returned 1 [0096.453] lstrlenW (lpString="lsm.exe") returned 7 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="searchui.exe") returned 1 [0096.453] lstrlenW (lpString="searchui.exe") returned 12 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="searchindexer.exe") returned 1 [0096.453] lstrlenW (lpString="searchindexer.exe") returned 17 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="processhacker.exe") returned 1 [0096.453] lstrlenW (lpString="processhacker.exe") returned 17 [0096.453] lstrcmpiW (lpString1="sihost.exe", lpString2="getpassvord_x64.exe") returned 1 [0096.454] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0096.454] lstrcmpiW (lpString1="sihost.exe", lpString2="64.exe") returned 1 [0096.454] lstrlenW (lpString="64.exe") returned 6 [0096.454] lstrcmpiW (lpString1="sihost.exe", lpString2="32.exe") returned 1 [0096.454] lstrlenW (lpString="32.exe") returned 6 [0096.454] lstrcmpiW (lpString1="sihost.exe", lpString2="mshta.exe") returned 1 [0096.454] lstrlenW (lpString="mshta.exe") returned 9 [0096.454] lstrcmpiW (lpString1="sihost.exe", lpString2="fontdrvhost.exe") returned 1 [0096.454] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0096.454] lstrcmpiW (lpString1="sihost.exe", lpString2="sihost.exe") returned 0 [0096.454] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0096.461] lstrlenW (lpString="[System process]") returned 16 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0096.461] lstrlenW (lpString="System") returned 6 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0096.461] lstrlenW (lpString="smss.exe") returned 8 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0096.461] lstrlenW (lpString="dllhost.exe") returned 11 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0096.461] lstrlenW (lpString="svchost.exe") returned 11 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="csrss.exe") returned 1 [0096.461] lstrlenW (lpString="csrss.exe") returned 9 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0096.461] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="WebServices.exe") returned -1 [0096.461] lstrlenW (lpString="WebServices.exe") returned 15 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="cmd.exe") returned 1 [0096.461] lstrlenW (lpString="cmd.exe") returned 7 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="mstsc.exe") returned -1 [0096.461] lstrlenW (lpString="mstsc.exe") returned 9 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="find.exe") returned -1 [0096.461] lstrlenW (lpString="find.exe") returned 8 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="conhost.exe") returned 1 [0096.461] lstrlenW (lpString="conhost.exe") returned 11 [0096.461] lstrcmpiW (lpString1="explorer.exe", lpString2="explorer.exe") returned 0 [0096.461] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0096.468] lstrcmpiW (lpString1="SearchUI.exe", lpString2="[System process]") returned 1 [0096.468] lstrlenW (lpString="[System process]") returned 16 [0096.468] lstrcmpiW (lpString1="SearchUI.exe", lpString2="System") returned -1 [0096.468] lstrlenW (lpString="System") returned 6 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="smss.exe") returned -1 [0096.469] lstrlenW (lpString="smss.exe") returned 8 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="dllhost.exe") returned 1 [0096.469] lstrlenW (lpString="dllhost.exe") returned 11 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="svchost.exe") returned -1 [0096.469] lstrlenW (lpString="svchost.exe") returned 11 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="csrss.exe") returned 1 [0096.469] lstrlenW (lpString="csrss.exe") returned 9 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0096.469] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="WebServices.exe") returned -1 [0096.469] lstrlenW (lpString="WebServices.exe") returned 15 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="cmd.exe") returned 1 [0096.469] lstrlenW (lpString="cmd.exe") returned 7 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="mstsc.exe") returned 1 [0096.469] lstrlenW (lpString="mstsc.exe") returned 9 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="find.exe") returned 1 [0096.469] lstrlenW (lpString="find.exe") returned 8 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="conhost.exe") returned 1 [0096.469] lstrlenW (lpString="conhost.exe") returned 11 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="explorer.exe") returned 1 [0096.469] lstrlenW (lpString="explorer.exe") returned 12 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="ctfmon.exe") returned 1 [0096.469] lstrlenW (lpString="ctfmon.exe") returned 10 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="lsass.exe") returned 1 [0096.469] lstrlenW (lpString="lsass.exe") returned 9 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="services.exe") returned -1 [0096.469] lstrlenW (lpString="services.exe") returned 12 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="tasklist.exe") returned -1 [0096.469] lstrlenW (lpString="tasklist.exe") returned 12 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="winlogon.exe") returned -1 [0096.469] lstrlenW (lpString="winlogon.exe") returned 12 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="wmiprvse.exe") returned -1 [0096.469] lstrlenW (lpString="wmiprvse.exe") returned 12 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="msdts.exe") returned 1 [0096.469] lstrlenW (lpString="msdts.exe") returned 9 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="bfsvc.exe") returned 1 [0096.469] lstrlenW (lpString="bfsvc.exe") returned 9 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0096.469] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="alg.exe") returned 1 [0096.469] lstrlenW (lpString="alg.exe") returned 7 [0096.469] lstrcmpiW (lpString1="SearchUI.exe", lpString2="dwm.exe") returned 1 [0096.470] lstrlenW (lpString="dwm.exe") returned 7 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="issch.exe") returned 1 [0096.470] lstrlenW (lpString="issch.exe") returned 9 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="rundll32.exe") returned 1 [0096.470] lstrlenW (lpString="rundll32.exe") returned 12 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="spoolsv.exe") returned -1 [0096.470] lstrlenW (lpString="spoolsv.exe") returned 11 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="wininit.exe") returned -1 [0096.470] lstrlenW (lpString="wininit.exe") returned 11 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="wmiprvse.exe") returned -1 [0096.470] lstrlenW (lpString="wmiprvse.exe") returned 12 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="wudfhost.exe") returned -1 [0096.470] lstrlenW (lpString="wudfhost.exe") returned 12 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="taskmgr.exe") returned -1 [0096.470] lstrlenW (lpString="taskmgr.exe") returned 11 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="rdpclip.exe") returned 1 [0096.470] lstrlenW (lpString="rdpclip.exe") returned 11 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="logonui.exe") returned 1 [0096.470] lstrlenW (lpString="logonui.exe") returned 11 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="lsm.exe") returned 1 [0096.470] lstrlenW (lpString="lsm.exe") returned 7 [0096.470] lstrcmpiW (lpString1="SearchUI.exe", lpString2="searchui.exe") returned 0 [0096.470] Process32NextW (in: hSnapshot=0x2f0, lppe=0x54fd54 | out: lppe=0x54fd54*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0096.778] lstrcmpiW (lpString1="dllhost.exe", lpString2="[System process]") returned 1 [0096.778] lstrlenW (lpString="[System process]") returned 16 [0096.778] lstrcmpiW (lpString1="dllhost.exe", lpString2="System") returned -1 [0096.778] lstrlenW (lpString="System") returned 6 [0096.778] lstrcmpiW (lpString1="dllhost.exe", lpString2="smss.exe") returned -1 [0096.778] lstrlenW (lpString="smss.exe") returned 8 [0096.778] lstrcmpiW (lpString1="dllhost.exe", lpString2="dllhost.exe") returned 0 [0096.778] Process32NextW (hSnapshot=0x2f0, lppe=0x54fd54) Thread: id = 4 os_tid = 0xce8 Thread: id = 5 os_tid = 0xcd8 Thread: id = 6 os_tid = 0xd40 Thread: id = 7 os_tid = 0xd10 Thread: id = 8 os_tid = 0xd0c Thread: id = 10 os_tid = 0xd9c [0078.074] WNetOpenEnumA (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2abff60 | out: lphEnum=0x2abff60*=0x5c8890) returned 0x0 [0091.165] WNetEnumResourceA (in: hEnum=0x5c8890, lpcCount=0x2abff74, lpBuffer=0x108e8ab0, lpBufferSize=0x2abff70 | out: lpcCount=0x2abff74, lpBuffer=0x108e8ab0, lpBufferSize=0x2abff70) returned 0x0 [0091.165] WNetOpenEnumA (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x108e8ab0, lphEnum=0x2abff34 | out: lphEnum=0x2abff34*=0x5a9c38) returned 0x0 [0091.167] WNetEnumResourceA (in: hEnum=0x5a9c38, lpcCount=0x2abff48, lpBuffer=0x10800950, lpBufferSize=0x2abff44 | out: lpcCount=0x2abff48, lpBuffer=0x10800950, lpBufferSize=0x2abff44) returned 0x103 [0091.167] WNetCloseEnum (hEnum=0x5a9c38) returned 0x0 [0092.005] WNetOpenEnumA (dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x108e8ad0, lphEnum=0x2abff34) Thread: id = 11 os_tid = 0xd8c [0078.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*.*", lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 0x5c85d0 [0078.082] lstrcmpW (lpString1=".", lpString2="$Recycle.Bin") returned 1 [0078.082] lstrcmpW (lpString1="..", lpString2="$Recycle.Bin") returned 1 [0078.082] lstrcmpiW (lpString1="windows", lpString2="$Recycle.Bin") returned 1 [0078.084] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.084] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.084] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="$Recycle.Bin" | out: lpString1="\\\\?\\C:\\$Recycle.Bin") returned="\\\\?\\C:\\$Recycle.Bin" [0078.084] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\*.*" [0078.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5f6d80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0078.085] CloseHandle (hObject=0x308) returned 1 [0078.085] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.085] lstrcmpW (lpString1=".", lpString2="Boot") returned -1 [0078.085] lstrcmpW (lpString1="..", lpString2="Boot") returned -1 [0078.085] lstrcmpiW (lpString1="windows", lpString2="Boot") returned 1 [0078.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.087] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.087] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Boot" | out: lpString1="\\\\?\\C:\\Boot") returned="\\\\?\\C:\\Boot" [0078.087] lstrcatW (in: lpString1="\\\\?\\C:\\Boot", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x60ede8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0078.087] CloseHandle (hObject=0x308) returned 1 [0078.088] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.088] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.088] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.088] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\How To Restore Files.hta") returned="\\\\?\\C:\\How To Restore Files.hta" [0078.088] GetFileAttributesW (lpFileName="\\\\?\\C:\\How To Restore Files.hta" (normalized: "c:\\how to restore files.hta")) returned 0xffffffff [0078.089] CreateFileW (lpFileName="\\\\?\\C:\\How To Restore Files.hta" (normalized: "c:\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0078.102] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2bffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2bffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0078.103] CloseHandle (hObject=0x308) returned 1 [0078.107] SetFileAttributesW (lpFileName="\\\\?\\C:\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0078.108] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr") returned 1 [0078.108] lstrlenW (lpString="bootmgr") returned 7 [0078.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.108] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.108] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="bootmgr" | out: lpString1="\\\\?\\C:\\bootmgr") returned="\\\\?\\C:\\bootmgr" [0078.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\bootmgr" | out: lpString1="\\\\?\\C:\\bootmgr") returned="\\\\?\\C:\\bootmgr" [0078.108] lstrcatW (in: lpString1="\\\\?\\C:\\bootmgr", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\bootmgr id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\bootmgr id-Br3n0G72wUb8CejT.LyaS" [0078.108] SetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr", dwFileAttributes=0x80) returned 0 [0078.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), lpNewFileName="\\\\?\\C:\\bootmgr id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\bootmgr id-br3n0g72wub8cejt.lyas")) returned 1 [0078.359] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\bootmgr id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0078.360] MoveFileW (lpExistingFileName="\\\\?\\C:\\bootmgr id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\bootmgr id-br3n0g72wub8cejt.lyas"), lpNewFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr")) returned 1 [0078.360] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.360] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.360] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.360] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\How To Restore Files.hta") returned="\\\\?\\C:\\How To Restore Files.hta" [0078.360] GetFileAttributesW (lpFileName="\\\\?\\C:\\How To Restore Files.hta" (normalized: "c:\\how to restore files.hta")) returned 0x1 [0078.360] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.360] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.360] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.360] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\How To Restore Files.hta") returned="\\\\?\\C:\\How To Restore Files.hta" [0078.361] GetFileAttributesW (lpFileName="\\\\?\\C:\\How To Restore Files.hta" (normalized: "c:\\how to restore files.hta")) returned 0x1 [0078.361] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="BOOTSECT.BAK") returned 1 [0078.361] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0078.361] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.361] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.361] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="BOOTSECT.BAK" | out: lpString1="\\\\?\\C:\\BOOTSECT.BAK") returned="\\\\?\\C:\\BOOTSECT.BAK" [0078.361] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\BOOTSECT.BAK" | out: lpString1="\\\\?\\C:\\BOOTSECT.BAK") returned="\\\\?\\C:\\BOOTSECT.BAK" [0078.361] lstrcatW (in: lpString1="\\\\?\\C:\\BOOTSECT.BAK", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\BOOTSECT.BAK id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\BOOTSECT.BAK id-Br3n0G72wUb8CejT.LyaS" [0078.361] SetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK", dwFileAttributes=0x80) returned 1 [0078.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), lpNewFileName="\\\\?\\C:\\BOOTSECT.BAK id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\bootsect.bak id-br3n0g72wub8cejt.lyas")) returned 1 [0078.586] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\bootsect.bak id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0078.586] CreateFileMappingA (hFile=0x300, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2e4 [0078.586] CryptAcquireContextA (in: phProv=0x2bffce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2bffce4*=0x5d19c0) returned 1 [0078.587] CryptGenKey (in: hProv=0x5d19c0, Algid=0x6610, dwFlags=0x1, phKey=0x2bffce0 | out: phKey=0x2bffce0*=0x5c8c50) returned 1 [0078.587] CryptExportKey (in: hKey=0x5c8c50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2bffbdc, pdwDataLen=0x2bffcdc | out: pbData=0x2bffbdc*, pdwDataLen=0x2bffcdc*=0x2c) returned 1 [0078.587] MapViewOfFile (hFileMappingObject=0x2e4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2000) returned 0x46c0000 [0078.759] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2bffbdc*, pdwDataLen=0x2bffcf0*=0x40, dwBufLen=0x100 | out: pbData=0x2bffbdc*, pdwDataLen=0x2bffcf0*=0x100) returned 1 [0078.759] CryptEncrypt (in: hKey=0x5c8c50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x46c0000, pdwDataLen=0x2bffcdc*=0x2000, dwBufLen=0x2000 | out: pbData=0x46c0000*, pdwDataLen=0x2bffcdc*=0x2000) returned 1 [0078.759] UnmapViewOfFile (lpBaseAddress=0x46c0000) returned 1 [0078.759] CloseHandle (hObject=0x2e4) returned 1 [0078.759] CryptDestroyKey (hKey=0x5c8c50) returned 1 [0078.759] CryptReleaseContext (hProv=0x5d19c0, dwFlags=0x0) returned 1 [0078.759] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.760] WriteFile (in: hFile=0x300, lpBuffer=0x2bffbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2bffcf0, lpOverlapped=0x0 | out: lpBuffer=0x2bffbdc*, lpNumberOfBytesWritten=0x2bffcf0*=0x100, lpOverlapped=0x0) returned 1 [0078.760] WriteFile (in: hFile=0x300, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2bffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x2bffcf0*=0x500, lpOverlapped=0x0) returned 1 [0078.761] CloseHandle (hObject=0x300) returned 1 [0078.764] SetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0078.765] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.765] lstrcmpW (lpString1=".", lpString2="Config.Msi") returned -1 [0078.765] lstrcmpW (lpString1="..", lpString2="Config.Msi") returned -1 [0078.765] lstrcmpiW (lpString1="windows", lpString2="Config.Msi") returned 1 [0078.768] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.768] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.768] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Config.Msi" | out: lpString1="\\\\?\\C:\\Config.Msi") returned="\\\\?\\C:\\Config.Msi" [0078.768] lstrcatW (in: lpString1="\\\\?\\C:\\Config.Msi", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Config.Msi\\*.*") returned="\\\\?\\C:\\Config.Msi\\*.*" [0078.768] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5990048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0078.769] CloseHandle (hObject=0x300) returned 1 [0078.769] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.769] lstrcmpW (lpString1=".", lpString2="Documents and Settings") returned -1 [0078.769] lstrcmpW (lpString1="..", lpString2="Documents and Settings") returned -1 [0078.769] lstrcmpiW (lpString1="windows", lpString2="Documents and Settings") returned 1 [0078.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.771] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.771] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Documents and Settings" | out: lpString1="\\\\?\\C:\\Documents and Settings") returned="\\\\?\\C:\\Documents and Settings" [0078.771] lstrcatW (in: lpString1="\\\\?\\C:\\Documents and Settings", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Documents and Settings\\*.*") returned="\\\\?\\C:\\Documents and Settings\\*.*" [0078.771] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0078.772] CloseHandle (hObject=0x300) returned 1 [0078.772] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.772] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.772] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.772] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\How To Restore Files.hta") returned="\\\\?\\C:\\How To Restore Files.hta" [0078.772] GetFileAttributesW (lpFileName="\\\\?\\C:\\How To Restore Files.hta" (normalized: "c:\\how to restore files.hta")) returned 0x1 [0078.772] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hiberfil.sys") returned 1 [0078.772] lstrlenW (lpString="hiberfil.sys") returned 12 [0078.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.772] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.772] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="hiberfil.sys" | out: lpString1="\\\\?\\C:\\hiberfil.sys") returned="\\\\?\\C:\\hiberfil.sys" [0078.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\hiberfil.sys" | out: lpString1="\\\\?\\C:\\hiberfil.sys") returned="\\\\?\\C:\\hiberfil.sys" [0078.772] lstrcatW (in: lpString1="\\\\?\\C:\\hiberfil.sys", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\hiberfil.sys id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\hiberfil.sys id-Br3n0G72wUb8CejT.LyaS" [0078.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), lpNewFileName="\\\\?\\C:\\hiberfil.sys id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\hiberfil.sys id-br3n0g72wub8cejt.lyas")) returned 0 [0078.773] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.773] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.773] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.773] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\How To Restore Files.hta") returned="\\\\?\\C:\\How To Restore Files.hta" [0078.773] GetFileAttributesW (lpFileName="\\\\?\\C:\\How To Restore Files.hta" (normalized: "c:\\how to restore files.hta")) returned 0x1 [0078.773] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="pagefile.sys") returned -1 [0078.773] lstrlenW (lpString="pagefile.sys") returned 12 [0078.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.773] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.773] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="pagefile.sys" | out: lpString1="\\\\?\\C:\\pagefile.sys") returned="\\\\?\\C:\\pagefile.sys" [0078.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\pagefile.sys" | out: lpString1="\\\\?\\C:\\pagefile.sys") returned="\\\\?\\C:\\pagefile.sys" [0078.773] lstrcatW (in: lpString1="\\\\?\\C:\\pagefile.sys", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\pagefile.sys id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\pagefile.sys id-Br3n0G72wUb8CejT.LyaS" [0078.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), lpNewFileName="\\\\?\\C:\\pagefile.sys id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\pagefile.sys id-br3n0g72wub8cejt.lyas")) returned 0 [0078.774] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.774] lstrcmpW (lpString1=".", lpString2="PerfLogs") returned -1 [0078.774] lstrcmpW (lpString1="..", lpString2="PerfLogs") returned -1 [0078.774] lstrcmpiW (lpString1="windows", lpString2="PerfLogs") returned 1 [0078.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.775] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.775] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="PerfLogs" | out: lpString1="\\\\?\\C:\\PerfLogs") returned="\\\\?\\C:\\PerfLogs" [0078.775] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\PerfLogs\\*.*") returned="\\\\?\\C:\\PerfLogs\\*.*" [0078.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0078.776] CloseHandle (hObject=0x300) returned 1 [0078.776] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.776] lstrcmpW (lpString1=".", lpString2="Program Files") returned -1 [0078.776] lstrcmpW (lpString1="..", lpString2="Program Files") returned -1 [0078.776] lstrcmpiW (lpString1="windows", lpString2="Program Files") returned 1 [0078.778] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.778] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.778] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Program Files" | out: lpString1="\\\\?\\C:\\Program Files") returned="\\\\?\\C:\\Program Files" [0078.778] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0078.778] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59d8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0078.779] CloseHandle (hObject=0x300) returned 1 [0078.779] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.779] lstrcmpW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.779] lstrcmpW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.779] lstrcmpiW (lpString1="windows", lpString2="Program Files (x86)") returned 1 [0078.780] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.780] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.780] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Program Files (x86)" | out: lpString1="\\\\?\\C:\\Program Files (x86)") returned="\\\\?\\C:\\Program Files (x86)" [0078.780] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0078.781] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0078.781] CloseHandle (hObject=0x300) returned 1 [0078.782] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.782] lstrcmpW (lpString1=".", lpString2="ProgramData") returned -1 [0078.782] lstrcmpW (lpString1="..", lpString2="ProgramData") returned -1 [0078.782] lstrcmpiW (lpString1="windows", lpString2="ProgramData") returned 1 [0078.784] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.784] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.784] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="ProgramData" | out: lpString1="\\\\?\\C:\\ProgramData") returned="\\\\?\\C:\\ProgramData" [0078.785] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0078.785] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a08250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0078.786] CloseHandle (hObject=0x300) returned 1 [0078.786] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.786] lstrcmpW (lpString1=".", lpString2="Recovery") returned -1 [0078.786] lstrcmpW (lpString1="..", lpString2="Recovery") returned -1 [0078.786] lstrcmpiW (lpString1="windows", lpString2="Recovery") returned 1 [0078.788] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.788] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.788] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Recovery" | out: lpString1="\\\\?\\C:\\Recovery") returned="\\\\?\\C:\\Recovery" [0078.788] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\*.*") returned="\\\\?\\C:\\Recovery\\*.*" [0078.788] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a202b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0078.789] CloseHandle (hObject=0x300) returned 1 [0078.789] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.789] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.789] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.789] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\How To Restore Files.hta") returned="\\\\?\\C:\\How To Restore Files.hta" [0078.789] GetFileAttributesW (lpFileName="\\\\?\\C:\\How To Restore Files.hta" (normalized: "c:\\how to restore files.hta")) returned 0x1 [0078.790] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="swapfile.sys") returned -1 [0078.790] lstrlenW (lpString="swapfile.sys") returned 12 [0078.790] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.790] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.790] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="swapfile.sys" | out: lpString1="\\\\?\\C:\\swapfile.sys") returned="\\\\?\\C:\\swapfile.sys" [0078.790] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\swapfile.sys" | out: lpString1="\\\\?\\C:\\swapfile.sys") returned="\\\\?\\C:\\swapfile.sys" [0078.790] lstrcatW (in: lpString1="\\\\?\\C:\\swapfile.sys", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\swapfile.sys id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\swapfile.sys id-Br3n0G72wUb8CejT.LyaS" [0078.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\swapfile.sys" (normalized: "c:\\swapfile.sys"), lpNewFileName="\\\\?\\C:\\swapfile.sys id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\swapfile.sys id-br3n0g72wub8cejt.lyas")) returned 0 [0078.791] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0078.791] lstrcmpW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.791] lstrcmpW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.791] lstrcmpiW (lpString1="windows", lpString2="System Volume Information") returned 1 [0078.793] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0078.793] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0078.793] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="System Volume Information" | out: lpString1="\\\\?\\C:\\System Volume Information") returned="\\\\?\\C:\\System Volume Information" [0078.793] lstrcatW (in: lpString1="\\\\?\\C:\\System Volume Information", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\System Volume Information\\*.*") returned="\\\\?\\C:\\System Volume Information\\*.*" [0078.793] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a38320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0079.686] CloseHandle (hObject=0x328) returned 1 [0079.686] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0079.686] lstrcmpW (lpString1=".", lpString2="Users") returned -1 [0079.686] lstrcmpW (lpString1="..", lpString2="Users") returned -1 [0079.686] lstrcmpiW (lpString1="windows", lpString2="Users") returned 1 [0079.686] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0079.686] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0079.686] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Users" | out: lpString1="\\\\?\\C:\\Users") returned="\\\\?\\C:\\Users" [0079.686] lstrcatW (in: lpString1="\\\\?\\C:\\Users", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0079.686] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x64eec0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0079.688] CloseHandle (hObject=0x328) returned 1 [0079.688] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0079.688] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0079.688] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0079.688] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0079.688] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 0 [0079.689] FindClose (in: hFindFile=0x5c85d0 | out: hFindFile=0x5c85d0) returned 1 Thread: id = 12 os_tid = 0xd80 [0078.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*.*", lpFindFileData=0x2d3fd28 | out: lpFindFileData=0x2d3fd28) returned 0x5c8710 [0078.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.304] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x2d3fd28 | out: lpFindFileData=0x2d3fd28) returned 1 [0078.304] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0078.304] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.304] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x2d3fd28 | out: lpFindFileData=0x2d3fd28) returned 1 [0078.304] lstrcmpW (lpString1=".", lpString2="S-1-5-18") returned -1 [0078.304] lstrcmpW (lpString1="..", lpString2="S-1-5-18") returned -1 [0078.304] lstrcmpiW (lpString1="windows", lpString2="S-1-5-18") returned 1 [0078.305] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\*.*" [0078.305] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\*.*") returned 23 [0078.305] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\", lpString2="S-1-5-18" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18" [0078.305] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*" [0078.305] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x636e58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.306] CloseHandle (hObject=0x328) returned 1 [0078.306] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x2d3fd28 | out: lpFindFileData=0x2d3fd28) returned 1 [0078.306] lstrcmpW (lpString1=".", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000") returned -1 [0078.306] lstrcmpW (lpString1="..", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000") returned -1 [0078.306] lstrcmpiW (lpString1="windows", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000") returned 1 [0078.307] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\*.*" [0078.308] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\*.*") returned 23 [0078.308] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000" [0078.308] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*" [0078.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x64eec0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.308] CloseHandle (hObject=0x328) returned 1 [0078.309] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x2d3fd28 | out: lpFindFileData=0x2d3fd28) returned 0 [0078.309] FindClose (in: hFindFile=0x5c8710 | out: hFindFile=0x5c8710) returned 1 Thread: id = 13 os_tid = 0xd78 [0078.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*.*", lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 0x5c86d0 [0078.130] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.130] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.316] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0078.316] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.316] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.317] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.317] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.317] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\How To Restore Files.hta" [0078.317] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta" (normalized: "c:\\boot\\how to restore files.hta")) returned 0xffffffff [0078.317] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta" (normalized: "c:\\boot\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0078.328] WriteFile (in: hFile=0x328, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2e7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e7fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0078.329] CloseHandle (hObject=0x328) returned 1 [0078.329] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0078.330] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="BCD") returned 1 [0078.330] lstrlenW (lpString="BCD") returned 3 [0078.330] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.331] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.331] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="BCD" | out: lpString1="\\\\?\\C:\\Boot\\BCD") returned="\\\\?\\C:\\Boot\\BCD" [0078.331] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\BCD" | out: lpString1="\\\\?\\C:\\Boot\\BCD") returned="\\\\?\\C:\\Boot\\BCD" [0078.331] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\BCD", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\BCD id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\BCD id-Br3n0G72wUb8CejT.LyaS" [0078.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), lpNewFileName="\\\\?\\C:\\Boot\\BCD id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\bcd id-br3n0g72wub8cejt.lyas")) returned 0 [0078.331] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.331] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.331] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.331] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\How To Restore Files.hta" [0078.331] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta" (normalized: "c:\\boot\\how to restore files.hta")) returned 0x1 [0078.332] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="BCD.LOG") returned 1 [0078.332] lstrlenW (lpString="BCD.LOG") returned 7 [0078.332] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.332] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.332] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="BCD.LOG" | out: lpString1="\\\\?\\C:\\Boot\\BCD.LOG") returned="\\\\?\\C:\\Boot\\BCD.LOG" [0078.332] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\BCD.LOG" | out: lpString1="\\\\?\\C:\\Boot\\BCD.LOG") returned="\\\\?\\C:\\Boot\\BCD.LOG" [0078.332] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\BCD.LOG", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\BCD.LOG id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\BCD.LOG id-Br3n0G72wUb8CejT.LyaS" [0078.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\bcd.log id-br3n0g72wub8cejt.lyas")) returned 0 [0078.332] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.332] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.332] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.332] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\How To Restore Files.hta" [0078.332] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta" (normalized: "c:\\boot\\how to restore files.hta")) returned 0x1 [0078.333] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.333] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.333] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.333] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\How To Restore Files.hta" [0078.333] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta" (normalized: "c:\\boot\\how to restore files.hta")) returned 0x1 [0078.333] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.333] lstrcmpW (lpString1=".", lpString2="bg-BG") returned -1 [0078.333] lstrcmpW (lpString1="..", lpString2="bg-BG") returned -1 [0078.333] lstrcmpiW (lpString1="windows", lpString2="bg-BG") returned 1 [0078.335] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.335] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.335] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="bg-BG" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG") returned="\\\\?\\C:\\Boot\\bg-BG" [0078.335] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\bg-BG", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG\\*.*") returned="\\\\?\\C:\\Boot\\bg-BG\\*.*" [0078.335] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c00048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.336] CloseHandle (hObject=0x328) returned 1 [0078.336] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.336] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.336] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.336] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\How To Restore Files.hta" [0078.336] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta" (normalized: "c:\\boot\\how to restore files.hta")) returned 0x1 [0078.336] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="BOOTSTAT.DAT") returned 1 [0078.336] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0078.336] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.336] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.337] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="BOOTSTAT.DAT" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" [0078.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" [0078.337] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT id-Br3n0G72wUb8CejT.LyaS" [0078.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\bootstat.dat id-br3n0g72wub8cejt.lyas")) returned 1 [0078.337] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\bootstat.dat id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0078.338] CreateFileMappingA (hFile=0x328, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x304 [0078.338] CryptAcquireContextA (in: phProv=0x2e7fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2e7fce4*=0x5d13e8) returned 1 [0078.338] CryptGenKey (in: hProv=0x5d13e8, Algid=0x6610, dwFlags=0x1, phKey=0x2e7fce0 | out: phKey=0x2e7fce0*=0x5c8710) returned 1 [0078.339] CryptExportKey (in: hKey=0x5c8710, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2e7fbdc, pdwDataLen=0x2e7fcdc | out: pbData=0x2e7fbdc*, pdwDataLen=0x2e7fcdc*=0x2c) returned 1 [0078.339] MapViewOfFile (hFileMappingObject=0x304, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10000) returned 0x22f0000 [0078.357] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2e7fbdc*, pdwDataLen=0x2e7fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x2e7fbdc*, pdwDataLen=0x2e7fcf0*=0x100) returned 1 [0078.358] CryptEncrypt (in: hKey=0x5c8710, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22f0000, pdwDataLen=0x2e7fcdc*=0x10000, dwBufLen=0x10000 | out: pbData=0x22f0000*, pdwDataLen=0x2e7fcdc*=0x10000) returned 1 [0078.380] UnmapViewOfFile (lpBaseAddress=0x22f0000) returned 1 [0078.381] CloseHandle (hObject=0x304) returned 1 [0078.381] CryptDestroyKey (hKey=0x5c8710) returned 1 [0078.381] CryptReleaseContext (hProv=0x5d13e8, dwFlags=0x0) returned 1 [0078.381] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.381] WriteFile (in: hFile=0x328, lpBuffer=0x2e7fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2e7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x2e7fbdc*, lpNumberOfBytesWritten=0x2e7fcf0*=0x100, lpOverlapped=0x0) returned 1 [0078.382] WriteFile (in: hFile=0x328, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2e7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x2e7fcf0*=0x500, lpOverlapped=0x0) returned 1 [0078.382] CloseHandle (hObject=0x328) returned 1 [0078.394] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0078.419] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.419] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.419] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.419] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\How To Restore Files.hta" [0078.419] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta" (normalized: "c:\\boot\\how to restore files.hta")) returned 0x1 [0078.420] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootvhd.dll") returned 1 [0078.420] lstrlenW (lpString="bootvhd.dll") returned 11 [0078.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.420] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.420] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="bootvhd.dll" | out: lpString1="\\\\?\\C:\\Boot\\bootvhd.dll") returned="\\\\?\\C:\\Boot\\bootvhd.dll" [0078.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\bootvhd.dll" | out: lpString1="\\\\?\\C:\\Boot\\bootvhd.dll") returned="\\\\?\\C:\\Boot\\bootvhd.dll" [0078.420] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\bootvhd.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\bootvhd.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\bootvhd.dll id-Br3n0G72wUb8CejT.LyaS" [0078.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), lpNewFileName="\\\\?\\C:\\Boot\\bootvhd.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\bootvhd.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0078.420] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.420] lstrcmpW (lpString1=".", lpString2="cs-CZ") returned -1 [0078.420] lstrcmpW (lpString1="..", lpString2="cs-CZ") returned -1 [0078.421] lstrcmpiW (lpString1="windows", lpString2="cs-CZ") returned 1 [0078.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.425] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.425] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="cs-CZ" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ") returned="\\\\?\\C:\\Boot\\cs-CZ" [0078.425] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*.*" [0078.425] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c180b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.426] CloseHandle (hObject=0x328) returned 1 [0078.426] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.426] lstrcmpW (lpString1=".", lpString2="da-DK") returned -1 [0078.426] lstrcmpW (lpString1="..", lpString2="da-DK") returned -1 [0078.426] lstrcmpiW (lpString1="windows", lpString2="da-DK") returned 1 [0078.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.427] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.428] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="da-DK" | out: lpString1="\\\\?\\C:\\Boot\\da-DK") returned="\\\\?\\C:\\Boot\\da-DK" [0078.428] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*.*") returned="\\\\?\\C:\\Boot\\da-DK\\*.*" [0078.428] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c30118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.428] CloseHandle (hObject=0x328) returned 1 [0078.428] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.428] lstrcmpW (lpString1=".", lpString2="de-DE") returned -1 [0078.429] lstrcmpW (lpString1="..", lpString2="de-DE") returned -1 [0078.429] lstrcmpiW (lpString1="windows", lpString2="de-DE") returned 1 [0078.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.430] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.430] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="de-DE" | out: lpString1="\\\\?\\C:\\Boot\\de-DE") returned="\\\\?\\C:\\Boot\\de-DE" [0078.430] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*.*") returned="\\\\?\\C:\\Boot\\de-DE\\*.*" [0078.430] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c48180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.431] CloseHandle (hObject=0x328) returned 1 [0078.431] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.431] lstrcmpW (lpString1=".", lpString2="el-GR") returned -1 [0078.431] lstrcmpW (lpString1="..", lpString2="el-GR") returned -1 [0078.431] lstrcmpiW (lpString1="windows", lpString2="el-GR") returned 1 [0078.433] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.433] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.433] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="el-GR" | out: lpString1="\\\\?\\C:\\Boot\\el-GR") returned="\\\\?\\C:\\Boot\\el-GR" [0078.433] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*.*") returned="\\\\?\\C:\\Boot\\el-GR\\*.*" [0078.433] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c601e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.434] CloseHandle (hObject=0x328) returned 1 [0078.434] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.434] lstrcmpW (lpString1=".", lpString2="en-GB") returned -1 [0078.434] lstrcmpW (lpString1="..", lpString2="en-GB") returned -1 [0078.434] lstrcmpiW (lpString1="windows", lpString2="en-GB") returned 1 [0078.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.436] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.436] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="en-GB" | out: lpString1="\\\\?\\C:\\Boot\\en-GB") returned="\\\\?\\C:\\Boot\\en-GB" [0078.436] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-GB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-GB\\*.*") returned="\\\\?\\C:\\Boot\\en-GB\\*.*" [0078.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c78250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.436] CloseHandle (hObject=0x328) returned 1 [0078.436] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.436] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0078.437] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0078.437] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0078.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.459] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.459] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Boot\\en-US") returned="\\\\?\\C:\\Boot\\en-US" [0078.459] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0078.459] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c902b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.460] CloseHandle (hObject=0x328) returned 1 [0078.460] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.460] lstrcmpW (lpString1=".", lpString2="es-ES") returned -1 [0078.460] lstrcmpW (lpString1="..", lpString2="es-ES") returned -1 [0078.460] lstrcmpiW (lpString1="windows", lpString2="es-ES") returned 1 [0078.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.462] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.462] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="es-ES" | out: lpString1="\\\\?\\C:\\Boot\\es-ES") returned="\\\\?\\C:\\Boot\\es-ES" [0078.462] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*.*") returned="\\\\?\\C:\\Boot\\es-ES\\*.*" [0078.462] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2ca8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.463] CloseHandle (hObject=0x328) returned 1 [0078.463] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.463] lstrcmpW (lpString1=".", lpString2="es-MX") returned -1 [0078.463] lstrcmpW (lpString1="..", lpString2="es-MX") returned -1 [0078.463] lstrcmpiW (lpString1="windows", lpString2="es-MX") returned 1 [0078.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.464] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.464] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="es-MX" | out: lpString1="\\\\?\\C:\\Boot\\es-MX") returned="\\\\?\\C:\\Boot\\es-MX" [0078.465] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-MX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-MX\\*.*") returned="\\\\?\\C:\\Boot\\es-MX\\*.*" [0078.465] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2cc0388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.465] CloseHandle (hObject=0x328) returned 1 [0078.465] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.465] lstrcmpW (lpString1=".", lpString2="et-EE") returned -1 [0078.465] lstrcmpW (lpString1="..", lpString2="et-EE") returned -1 [0078.466] lstrcmpiW (lpString1="windows", lpString2="et-EE") returned 1 [0078.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.467] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.467] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="et-EE" | out: lpString1="\\\\?\\C:\\Boot\\et-EE") returned="\\\\?\\C:\\Boot\\et-EE" [0078.467] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\et-EE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\et-EE\\*.*") returned="\\\\?\\C:\\Boot\\et-EE\\*.*" [0078.467] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2cd83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.468] CloseHandle (hObject=0x328) returned 1 [0078.468] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.468] lstrcmpW (lpString1=".", lpString2="fi-FI") returned -1 [0078.468] lstrcmpW (lpString1="..", lpString2="fi-FI") returned -1 [0078.468] lstrcmpiW (lpString1="windows", lpString2="fi-FI") returned 1 [0078.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.473] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.474] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="fi-FI" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI") returned="\\\\?\\C:\\Boot\\fi-FI" [0078.474] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned="\\\\?\\C:\\Boot\\fi-FI\\*.*" [0078.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d40048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.474] CloseHandle (hObject=0x328) returned 1 [0078.475] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.475] lstrcmpW (lpString1=".", lpString2="Fonts") returned -1 [0078.475] lstrcmpW (lpString1="..", lpString2="Fonts") returned -1 [0078.475] lstrcmpiW (lpString1="windows", lpString2="Fonts") returned 1 [0078.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.476] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.476] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Fonts" | out: lpString1="\\\\?\\C:\\Boot\\Fonts") returned="\\\\?\\C:\\Boot\\Fonts" [0078.476] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0078.476] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d580b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.477] CloseHandle (hObject=0x328) returned 1 [0078.477] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.477] lstrcmpW (lpString1=".", lpString2="fr-CA") returned -1 [0078.477] lstrcmpW (lpString1="..", lpString2="fr-CA") returned -1 [0078.477] lstrcmpiW (lpString1="windows", lpString2="fr-CA") returned 1 [0078.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.479] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.479] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="fr-CA" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA") returned="\\\\?\\C:\\Boot\\fr-CA" [0078.479] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-CA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA\\*.*") returned="\\\\?\\C:\\Boot\\fr-CA\\*.*" [0078.479] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d70118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.480] CloseHandle (hObject=0x328) returned 1 [0078.480] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.480] lstrcmpW (lpString1=".", lpString2="fr-FR") returned -1 [0078.480] lstrcmpW (lpString1="..", lpString2="fr-FR") returned -1 [0078.480] lstrcmpiW (lpString1="windows", lpString2="fr-FR") returned 1 [0078.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.482] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.482] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="fr-FR" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR") returned="\\\\?\\C:\\Boot\\fr-FR" [0078.482] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned="\\\\?\\C:\\Boot\\fr-FR\\*.*" [0078.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d88180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.483] CloseHandle (hObject=0x328) returned 1 [0078.483] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.483] lstrcmpW (lpString1=".", lpString2="hr-HR") returned -1 [0078.483] lstrcmpW (lpString1="..", lpString2="hr-HR") returned -1 [0078.483] lstrcmpiW (lpString1="windows", lpString2="hr-HR") returned 1 [0078.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.485] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.485] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="hr-HR" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR") returned="\\\\?\\C:\\Boot\\hr-HR" [0078.485] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hr-HR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR\\*.*") returned="\\\\?\\C:\\Boot\\hr-HR\\*.*" [0078.485] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3da01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.486] CloseHandle (hObject=0x328) returned 1 [0078.486] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.486] lstrcmpW (lpString1=".", lpString2="hu-HU") returned -1 [0078.486] lstrcmpW (lpString1="..", lpString2="hu-HU") returned -1 [0078.487] lstrcmpiW (lpString1="windows", lpString2="hu-HU") returned 1 [0078.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.488] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.488] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="hu-HU" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU") returned="\\\\?\\C:\\Boot\\hu-HU" [0078.488] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned="\\\\?\\C:\\Boot\\hu-HU\\*.*" [0078.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3db8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0078.498] CloseHandle (hObject=0x328) returned 1 [0078.498] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.498] lstrcmpW (lpString1=".", lpString2="it-IT") returned -1 [0078.498] lstrcmpW (lpString1="..", lpString2="it-IT") returned -1 [0078.498] lstrcmpiW (lpString1="windows", lpString2="it-IT") returned 1 [0078.500] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.500] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.702] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="it-IT" | out: lpString1="\\\\?\\C:\\Boot\\it-IT") returned="\\\\?\\C:\\Boot\\it-IT" [0078.702] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*.*") returned="\\\\?\\C:\\Boot\\it-IT\\*.*" [0078.702] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3dd02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.705] CloseHandle (hObject=0x314) returned 1 [0078.705] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.705] lstrcmpW (lpString1=".", lpString2="ja-JP") returned -1 [0078.705] lstrcmpW (lpString1="..", lpString2="ja-JP") returned -1 [0078.705] lstrcmpiW (lpString1="windows", lpString2="ja-JP") returned 1 [0078.706] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.706] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.706] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="ja-JP" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP") returned="\\\\?\\C:\\Boot\\ja-JP" [0078.706] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned="\\\\?\\C:\\Boot\\ja-JP\\*.*" [0078.706] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5f6d80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.707] CloseHandle (hObject=0x314) returned 1 [0078.707] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.707] lstrcmpW (lpString1=".", lpString2="ko-KR") returned -1 [0078.707] lstrcmpW (lpString1="..", lpString2="ko-KR") returned -1 [0078.707] lstrcmpiW (lpString1="windows", lpString2="ko-KR") returned 1 [0078.709] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.709] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.709] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="ko-KR" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR") returned="\\\\?\\C:\\Boot\\ko-KR" [0078.709] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned="\\\\?\\C:\\Boot\\ko-KR\\*.*" [0078.709] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3de8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.710] CloseHandle (hObject=0x314) returned 1 [0078.710] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.710] lstrcmpW (lpString1=".", lpString2="lt-LT") returned -1 [0078.710] lstrcmpW (lpString1="..", lpString2="lt-LT") returned -1 [0078.710] lstrcmpiW (lpString1="windows", lpString2="lt-LT") returned 1 [0078.712] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.712] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.712] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="lt-LT" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT") returned="\\\\?\\C:\\Boot\\lt-LT" [0078.712] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lt-LT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT\\*.*") returned="\\\\?\\C:\\Boot\\lt-LT\\*.*" [0078.712] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e00388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.713] CloseHandle (hObject=0x314) returned 1 [0078.713] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.713] lstrcmpW (lpString1=".", lpString2="lv-LV") returned -1 [0078.713] lstrcmpW (lpString1="..", lpString2="lv-LV") returned -1 [0078.713] lstrcmpiW (lpString1="windows", lpString2="lv-LV") returned 1 [0078.715] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.715] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.715] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="lv-LV" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV") returned="\\\\?\\C:\\Boot\\lv-LV" [0078.715] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lv-LV", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV\\*.*") returned="\\\\?\\C:\\Boot\\lv-LV\\*.*" [0078.715] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e183f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.716] CloseHandle (hObject=0x314) returned 1 [0078.716] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.716] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.716] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.716] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\How To Restore Files.hta" [0078.716] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\How To Restore Files.hta" (normalized: "c:\\boot\\how to restore files.hta")) returned 0x1 [0078.717] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe") returned -1 [0078.717] lstrlenW (lpString="memtest.exe") returned 11 [0078.717] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.717] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.717] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="memtest.exe" | out: lpString1="\\\\?\\C:\\Boot\\memtest.exe") returned="\\\\?\\C:\\Boot\\memtest.exe" [0078.717] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\memtest.exe" | out: lpString1="\\\\?\\C:\\Boot\\memtest.exe") returned="\\\\?\\C:\\Boot\\memtest.exe" [0078.717] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\memtest.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\memtest.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\memtest.exe id-Br3n0G72wUb8CejT.LyaS" [0078.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), lpNewFileName="\\\\?\\C:\\Boot\\memtest.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\memtest.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0078.718] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.718] lstrcmpW (lpString1=".", lpString2="nb-NO") returned -1 [0078.718] lstrcmpW (lpString1="..", lpString2="nb-NO") returned -1 [0078.718] lstrcmpiW (lpString1="windows", lpString2="nb-NO") returned 1 [0078.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.720] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.720] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="nb-NO" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO") returned="\\\\?\\C:\\Boot\\nb-NO" [0078.720] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned="\\\\?\\C:\\Boot\\nb-NO\\*.*" [0078.720] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e30458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.721] CloseHandle (hObject=0x314) returned 1 [0078.721] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.721] lstrcmpW (lpString1=".", lpString2="nl-NL") returned -1 [0078.721] lstrcmpW (lpString1="..", lpString2="nl-NL") returned -1 [0078.721] lstrcmpiW (lpString1="windows", lpString2="nl-NL") returned 1 [0078.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.723] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.723] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="nl-NL" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL") returned="\\\\?\\C:\\Boot\\nl-NL" [0078.723] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned="\\\\?\\C:\\Boot\\nl-NL\\*.*" [0078.723] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e484c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.724] CloseHandle (hObject=0x314) returned 1 [0078.724] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.724] lstrcmpW (lpString1=".", lpString2="pl-PL") returned -1 [0078.724] lstrcmpW (lpString1="..", lpString2="pl-PL") returned -1 [0078.724] lstrcmpiW (lpString1="windows", lpString2="pl-PL") returned 1 [0078.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.726] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.726] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="pl-PL" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL") returned="\\\\?\\C:\\Boot\\pl-PL" [0078.726] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned="\\\\?\\C:\\Boot\\pl-PL\\*.*" [0078.726] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e60528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.727] CloseHandle (hObject=0x314) returned 1 [0078.727] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.727] lstrcmpW (lpString1=".", lpString2="pt-BR") returned -1 [0078.727] lstrcmpW (lpString1="..", lpString2="pt-BR") returned -1 [0078.727] lstrcmpiW (lpString1="windows", lpString2="pt-BR") returned 1 [0078.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.729] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.729] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="pt-BR" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR") returned="\\\\?\\C:\\Boot\\pt-BR" [0078.729] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned="\\\\?\\C:\\Boot\\pt-BR\\*.*" [0078.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e78590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.730] CloseHandle (hObject=0x314) returned 1 [0078.730] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.730] lstrcmpW (lpString1=".", lpString2="pt-PT") returned -1 [0078.730] lstrcmpW (lpString1="..", lpString2="pt-PT") returned -1 [0078.730] lstrcmpiW (lpString1="windows", lpString2="pt-PT") returned 1 [0078.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.731] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.731] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="pt-PT" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT") returned="\\\\?\\C:\\Boot\\pt-PT" [0078.732] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned="\\\\?\\C:\\Boot\\pt-PT\\*.*" [0078.732] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e905f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.732] CloseHandle (hObject=0x314) returned 1 [0078.732] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.732] lstrcmpW (lpString1=".", lpString2="qps-ploc") returned -1 [0078.732] lstrcmpW (lpString1="..", lpString2="qps-ploc") returned -1 [0078.732] lstrcmpiW (lpString1="windows", lpString2="qps-ploc") returned 1 [0078.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.734] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.734] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="qps-ploc" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc") returned="\\\\?\\C:\\Boot\\qps-ploc" [0078.734] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\qps-ploc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned="\\\\?\\C:\\Boot\\qps-ploc\\*.*" [0078.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ea8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.735] CloseHandle (hObject=0x314) returned 1 [0078.736] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.736] lstrcmpW (lpString1=".", lpString2="Resources") returned -1 [0078.736] lstrcmpW (lpString1="..", lpString2="Resources") returned -1 [0078.736] lstrcmpiW (lpString1="windows", lpString2="Resources") returned 1 [0078.737] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.737] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.737] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Resources" | out: lpString1="\\\\?\\C:\\Boot\\Resources") returned="\\\\?\\C:\\Boot\\Resources" [0078.737] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\*.*") returned="\\\\?\\C:\\Boot\\Resources\\*.*" [0078.737] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ec06c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.738] CloseHandle (hObject=0x314) returned 1 [0078.738] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.738] lstrcmpW (lpString1=".", lpString2="ro-RO") returned -1 [0078.738] lstrcmpW (lpString1="..", lpString2="ro-RO") returned -1 [0078.738] lstrcmpiW (lpString1="windows", lpString2="ro-RO") returned 1 [0078.740] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.740] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.740] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="ro-RO" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO") returned="\\\\?\\C:\\Boot\\ro-RO" [0078.740] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ro-RO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO\\*.*") returned="\\\\?\\C:\\Boot\\ro-RO\\*.*" [0078.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ed8730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.741] CloseHandle (hObject=0x314) returned 1 [0078.741] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.741] lstrcmpW (lpString1=".", lpString2="ru-RU") returned -1 [0078.742] lstrcmpW (lpString1="..", lpString2="ru-RU") returned -1 [0078.742] lstrcmpiW (lpString1="windows", lpString2="ru-RU") returned 1 [0078.743] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.743] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.743] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="ru-RU" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU") returned="\\\\?\\C:\\Boot\\ru-RU" [0078.743] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned="\\\\?\\C:\\Boot\\ru-RU\\*.*" [0078.743] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ef0798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.744] CloseHandle (hObject=0x314) returned 1 [0078.745] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.745] lstrcmpW (lpString1=".", lpString2="sk-SK") returned -1 [0078.745] lstrcmpW (lpString1="..", lpString2="sk-SK") returned -1 [0078.745] lstrcmpiW (lpString1="windows", lpString2="sk-SK") returned 1 [0078.749] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.749] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.749] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="sk-SK" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK") returned="\\\\?\\C:\\Boot\\sk-SK" [0078.749] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sk-SK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK\\*.*") returned="\\\\?\\C:\\Boot\\sk-SK\\*.*" [0078.749] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3f08800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0078.750] CloseHandle (hObject=0x314) returned 1 [0078.750] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.750] lstrcmpW (lpString1=".", lpString2="sl-SI") returned -1 [0078.750] lstrcmpW (lpString1="..", lpString2="sl-SI") returned -1 [0078.750] lstrcmpiW (lpString1="windows", lpString2="sl-SI") returned 1 [0078.820] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.820] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.820] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="sl-SI" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI") returned="\\\\?\\C:\\Boot\\sl-SI" [0078.820] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sl-SI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI\\*.*") returned="\\\\?\\C:\\Boot\\sl-SI\\*.*" [0078.820] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x636e58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0078.821] CloseHandle (hObject=0x31c) returned 1 [0078.821] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.821] lstrcmpW (lpString1=".", lpString2="sr-Latn-CS") returned -1 [0078.821] lstrcmpW (lpString1="..", lpString2="sr-Latn-CS") returned -1 [0078.821] lstrcmpiW (lpString1="windows", lpString2="sr-Latn-CS") returned 1 [0078.829] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.829] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.829] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="sr-Latn-CS" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS") returned="\\\\?\\C:\\Boot\\sr-Latn-CS" [0078.829] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" [0078.829] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a50388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0078.830] CloseHandle (hObject=0x31c) returned 1 [0078.830] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.830] lstrcmpW (lpString1=".", lpString2="sr-Latn-RS") returned -1 [0078.830] lstrcmpW (lpString1="..", lpString2="sr-Latn-RS") returned -1 [0078.830] lstrcmpiW (lpString1="windows", lpString2="sr-Latn-RS") returned 1 [0078.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.832] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.832] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="sr-Latn-RS" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS") returned="\\\\?\\C:\\Boot\\sr-Latn-RS" [0078.832] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*") returned="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*" [0078.832] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a683f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0078.833] CloseHandle (hObject=0x31c) returned 1 [0078.833] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.833] lstrcmpW (lpString1=".", lpString2="sv-SE") returned -1 [0078.833] lstrcmpW (lpString1="..", lpString2="sv-SE") returned -1 [0078.833] lstrcmpiW (lpString1="windows", lpString2="sv-SE") returned 1 [0078.840] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.840] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.840] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="sv-SE" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE") returned="\\\\?\\C:\\Boot\\sv-SE" [0078.840] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned="\\\\?\\C:\\Boot\\sv-SE\\*.*" [0078.840] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a80458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0078.841] CloseHandle (hObject=0x31c) returned 1 [0078.841] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.841] lstrcmpW (lpString1=".", lpString2="tr-TR") returned -1 [0078.841] lstrcmpW (lpString1="..", lpString2="tr-TR") returned -1 [0078.841] lstrcmpiW (lpString1="windows", lpString2="tr-TR") returned 1 [0078.843] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.843] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.843] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="tr-TR" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR") returned="\\\\?\\C:\\Boot\\tr-TR" [0078.843] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned="\\\\?\\C:\\Boot\\tr-TR\\*.*" [0078.843] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a984c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0078.846] CloseHandle (hObject=0x31c) returned 1 [0078.846] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.846] lstrcmpW (lpString1=".", lpString2="uk-UA") returned -1 [0078.846] lstrcmpW (lpString1="..", lpString2="uk-UA") returned -1 [0078.846] lstrcmpiW (lpString1="windows", lpString2="uk-UA") returned 1 [0078.848] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.849] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.849] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="uk-UA" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA") returned="\\\\?\\C:\\Boot\\uk-UA" [0078.849] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\uk-UA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA\\*.*") returned="\\\\?\\C:\\Boot\\uk-UA\\*.*" [0078.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ab0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0078.850] CloseHandle (hObject=0x31c) returned 1 [0078.850] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.850] lstrcmpW (lpString1=".", lpString2="zh-CN") returned -1 [0078.850] lstrcmpW (lpString1="..", lpString2="zh-CN") returned -1 [0078.850] lstrcmpiW (lpString1="windows", lpString2="zh-CN") returned -1 [0078.852] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.852] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.852] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="zh-CN" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN") returned="\\\\?\\C:\\Boot\\zh-CN" [0078.852] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned="\\\\?\\C:\\Boot\\zh-CN\\*.*" [0078.852] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ac8590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0078.853] CloseHandle (hObject=0x31c) returned 1 [0078.853] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.853] lstrcmpW (lpString1=".", lpString2="zh-HK") returned -1 [0078.854] lstrcmpW (lpString1="..", lpString2="zh-HK") returned -1 [0078.854] lstrcmpiW (lpString1="windows", lpString2="zh-HK") returned -1 [0078.856] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.856] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0078.856] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="zh-HK" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK") returned="\\\\?\\C:\\Boot\\zh-HK" [0078.856] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned="\\\\?\\C:\\Boot\\zh-HK\\*.*" [0078.856] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ae05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0078.857] CloseHandle (hObject=0x31c) returned 1 [0078.857] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0078.857] lstrcmpW (lpString1=".", lpString2="zh-TW") returned -1 [0078.857] lstrcmpW (lpString1="..", lpString2="zh-TW") returned -1 [0078.857] lstrcmpiW (lpString1="windows", lpString2="zh-TW") returned -1 [0078.859] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0078.859] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0079.735] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="zh-TW" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW") returned="\\\\?\\C:\\Boot\\zh-TW" [0079.735] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned="\\\\?\\C:\\Boot\\zh-TW\\*.*" [0079.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5af8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0079.737] CloseHandle (hObject=0x328) returned 1 [0079.737] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 0 [0079.737] FindClose (in: hFindFile=0x5c86d0 | out: hFindFile=0x5c86d0) returned 1 Thread: id = 15 os_tid = 0xd5c [0078.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*", lpFindFileData=0x2fbfd28 | out: lpFindFileData=0x2fbfd28) returned 0x5c8710 [0078.618] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.618] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x2fbfd28 | out: lpFindFileData=0x2fbfd28) returned 1 [0078.618] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0078.619] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.619] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x2fbfd28 | out: lpFindFileData=0x2fbfd28) returned 1 [0078.619] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*" [0078.619] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*") returned 32 [0078.619] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\How To Restore Files.hta") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\How To Restore Files.hta" [0078.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\How To Restore Files.hta" (normalized: "c:\\$recycle.bin\\s-1-5-18\\how to restore files.hta")) returned 0xffffffff [0078.619] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\How To Restore Files.hta" (normalized: "c:\\$recycle.bin\\s-1-5-18\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0078.620] WriteFile (in: hFile=0x318, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2fbfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2fbfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0078.621] CloseHandle (hObject=0x318) returned 1 [0078.622] SetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0078.622] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0078.622] lstrlenW (lpString="desktop.ini") returned 11 [0078.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*" [0078.622] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*.*") returned 32 [0078.622] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" [0078.623] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" [0078.623] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0078.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), lpNewFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0078.623] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0078.624] CreateFileMappingA (hFile=0x318, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x314 [0078.624] CryptAcquireContextA (in: phProv=0x2fbfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2fbfce4*=0x5d1140) returned 1 [0078.625] CryptGenKey (in: hProv=0x5d1140, Algid=0x6610, dwFlags=0x1, phKey=0x2fbfce0 | out: phKey=0x2fbfce0*=0x5c8c90) returned 1 [0078.625] CryptExportKey (in: hKey=0x5c8c90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2fbfbdc, pdwDataLen=0x2fbfcdc | out: pbData=0x2fbfbdc*, pdwDataLen=0x2fbfcdc*=0x2c) returned 1 [0078.625] MapViewOfFile (hFileMappingObject=0x314, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80) returned 0x46d0000 [0078.643] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2fbfbdc*, pdwDataLen=0x2fbfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x2fbfbdc*, pdwDataLen=0x2fbfcf0*=0x100) returned 1 [0078.644] CryptEncrypt (in: hKey=0x5c8c90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x46d0000*, pdwDataLen=0x2fbfcdc*=0x80, dwBufLen=0x80 | out: pbData=0x46d0000*, pdwDataLen=0x2fbfcdc*=0x80) returned 1 [0078.644] UnmapViewOfFile (lpBaseAddress=0x46d0000) returned 1 [0078.644] CloseHandle (hObject=0x314) returned 1 [0078.645] CryptDestroyKey (hKey=0x5c8c90) returned 1 [0078.645] CryptReleaseContext (hProv=0x5d1140, dwFlags=0x0) returned 1 [0078.645] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.645] WriteFile (in: hFile=0x318, lpBuffer=0x2fbfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2fbfcf0, lpOverlapped=0x0 | out: lpBuffer=0x2fbfbdc*, lpNumberOfBytesWritten=0x2fbfcf0*=0x100, lpOverlapped=0x0) returned 1 [0078.646] WriteFile (in: hFile=0x318, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2fbfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x2fbfcf0*=0x500, lpOverlapped=0x0) returned 1 [0078.805] CloseHandle (hObject=0x318) returned 1 [0078.815] SetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0078.816] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x2fbfd28 | out: lpFindFileData=0x2fbfd28) returned 0 [0078.816] FindClose (in: hFindFile=0x5c8710 | out: hFindFile=0x5c8710) returned 1 Thread: id = 16 os_tid = 0xd68 [0078.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*", lpFindFileData=0x30ffd28 | out: lpFindFileData=0x30ffd28) returned 0x5c8bd0 [0078.323] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.323] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x30ffd28 | out: lpFindFileData=0x30ffd28) returned 1 [0078.323] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0078.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.323] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x30ffd28 | out: lpFindFileData=0x30ffd28) returned 1 [0078.324] lstrcpyW (in: lpString1=0x5f6d80, lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*" [0078.324] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*") returned 69 [0078.324] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\How To Restore Files.hta") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\How To Restore Files.hta" [0078.324] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\How To Restore Files.hta" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\how to restore files.hta")) returned 0xffffffff [0078.324] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\How To Restore Files.hta" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0078.543] WriteFile (in: hFile=0x328, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x30ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x30ffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0078.544] CloseHandle (hObject=0x328) returned 1 [0078.544] SetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0078.545] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0078.545] lstrlenW (lpString="desktop.ini") returned 11 [0078.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*" [0078.545] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*.*") returned 69 [0078.545] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" [0078.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" [0078.545] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0078.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini"), lpNewFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0078.546] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0078.547] CreateFileMappingA (hFile=0x328, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x304 [0078.547] CryptAcquireContextA (in: phProv=0x30ffce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x30ffce4*=0x5d1a48) returned 1 [0078.556] CryptGenKey (in: hProv=0x5d1a48, Algid=0x6610, dwFlags=0x1, phKey=0x30ffce0 | out: phKey=0x30ffce0*=0x5c8c10) returned 1 [0078.556] CryptExportKey (in: hKey=0x5c8c10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x30ffbdc, pdwDataLen=0x30ffcdc | out: pbData=0x30ffbdc*, pdwDataLen=0x30ffcdc*=0x2c) returned 1 [0078.557] MapViewOfFile (hFileMappingObject=0x304, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80) returned 0x22f0000 [0078.751] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30ffbdc*, pdwDataLen=0x30ffcf0*=0x40, dwBufLen=0x100 | out: pbData=0x30ffbdc*, pdwDataLen=0x30ffcf0*=0x100) returned 1 [0078.751] CryptEncrypt (in: hKey=0x5c8c10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22f0000*, pdwDataLen=0x30ffcdc*=0x80, dwBufLen=0x80 | out: pbData=0x22f0000*, pdwDataLen=0x30ffcdc*=0x80) returned 1 [0078.751] UnmapViewOfFile (lpBaseAddress=0x22f0000) returned 1 [0078.751] CloseHandle (hObject=0x304) returned 1 [0078.751] CryptDestroyKey (hKey=0x5c8c10) returned 1 [0078.751] CryptReleaseContext (hProv=0x5d1a48, dwFlags=0x0) returned 1 [0078.751] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.751] WriteFile (in: hFile=0x328, lpBuffer=0x30ffbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x30ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x30ffbdc*, lpNumberOfBytesWritten=0x30ffcf0*=0x100, lpOverlapped=0x0) returned 1 [0078.752] WriteFile (in: hFile=0x328, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x30ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x30ffcf0*=0x500, lpOverlapped=0x0) returned 1 [0078.861] CloseHandle (hObject=0x328) returned 1 [0078.874] SetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0078.874] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x30ffd28 | out: lpFindFileData=0x30ffd28) returned 0 [0078.875] FindClose (in: hFindFile=0x5c8bd0 | out: hFindFile=0x5c8bd0) returned 1 Thread: id = 17 os_tid = 0xd64 [0086.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\bg-BG\\*.*", lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 0x5c87d0 [0086.232] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.232] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0086.232] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.232] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.232] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0086.233] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\bg-BG\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG\\*.*") returned="\\\\?\\C:\\Boot\\bg-BG\\*.*" [0086.233] lstrlenW (lpString="\\\\?\\C:\\Boot\\bg-BG\\*.*") returned 21 [0086.233] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\bg-BG\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\bg-BG\\How To Restore Files.hta" [0086.233] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\How To Restore Files.hta" (normalized: "c:\\boot\\bg-bg\\how to restore files.hta")) returned 0xffffffff [0086.234] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\How To Restore Files.hta" (normalized: "c:\\boot\\bg-bg\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0086.234] WriteFile (in: hFile=0x328, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x31ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x31ffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.235] CloseHandle (hObject=0x328) returned 1 [0086.235] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.236] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.236] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\bg-BG\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG\\*.*") returned="\\\\?\\C:\\Boot\\bg-BG\\*.*" [0086.236] lstrlenW (lpString="\\\\?\\C:\\Boot\\bg-BG\\*.*") returned 21 [0086.236] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\bg-BG\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" [0086.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" [0086.236] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.237] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 0 [0086.237] FindClose (in: hFindFile=0x5c87d0 | out: hFindFile=0x5c87d0) returned 1 Thread: id = 18 os_tid = 0xd60 [0086.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 0x5c8750 [0086.192] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.192] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 1 [0086.192] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.192] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.192] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 1 [0086.193] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Boot\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*.*" [0086.193] lstrlenW (lpString="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned 21 [0086.193] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\cs-CZ\\How To Restore Files.hta" [0086.193] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\How To Restore Files.hta" (normalized: "c:\\boot\\cs-cz\\how to restore files.hta")) returned 0xffffffff [0086.193] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\How To Restore Files.hta" (normalized: "c:\\boot\\cs-cz\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0086.256] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x333fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x333fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.257] CloseHandle (hObject=0x32c) returned 1 [0086.257] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.258] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.258] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*.*" [0086.258] lstrlenW (lpString="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned 21 [0086.258] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" [0086.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" [0086.258] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.259] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 1 [0086.260] lstrcpyW (in: lpString1=0x2cf0458, lpString2="\\\\?\\C:\\Boot\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*.*" [0086.260] lstrlenW (lpString="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned 21 [0086.260] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\cs-CZ\\How To Restore Files.hta" [0086.260] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\How To Restore Files.hta" (normalized: "c:\\boot\\cs-cz\\how to restore files.hta")) returned 0x1 [0086.260] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.260] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*.*" [0086.260] lstrlenW (lpString="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned 21 [0086.260] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" [0086.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" [0086.260] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.261] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 0 [0086.261] FindClose (in: hFindFile=0x5c8750 | out: hFindFile=0x5c8750) returned 1 Thread: id = 19 os_tid = 0xd58 [0086.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*.*", lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 0x5c86d0 [0086.189] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.189] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 1 [0086.189] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.189] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.189] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 1 [0086.189] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*.*") returned="\\\\?\\C:\\Boot\\da-DK\\*.*" [0086.189] lstrlenW (lpString="\\\\?\\C:\\Boot\\da-DK\\*.*") returned 21 [0086.189] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\da-DK\\How To Restore Files.hta" [0086.189] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\How To Restore Files.hta" (normalized: "c:\\boot\\da-dk\\how to restore files.hta")) returned 0xffffffff [0086.189] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\How To Restore Files.hta" (normalized: "c:\\boot\\da-dk\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0086.207] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x347fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x347fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.208] CloseHandle (hObject=0x31c) returned 1 [0086.209] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.238] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.238] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.238] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*.*") returned="\\\\?\\C:\\Boot\\da-DK\\*.*" [0086.238] lstrlenW (lpString="\\\\?\\C:\\Boot\\da-DK\\*.*") returned 21 [0086.238] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" [0086.238] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" [0086.238] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.238] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 1 [0086.239] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*.*") returned="\\\\?\\C:\\Boot\\da-DK\\*.*" [0086.239] lstrlenW (lpString="\\\\?\\C:\\Boot\\da-DK\\*.*") returned 21 [0086.239] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\da-DK\\How To Restore Files.hta" [0086.239] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\How To Restore Files.hta" (normalized: "c:\\boot\\da-dk\\how to restore files.hta")) returned 0x1 [0086.239] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.239] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.239] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*.*") returned="\\\\?\\C:\\Boot\\da-DK\\*.*" [0086.239] lstrlenW (lpString="\\\\?\\C:\\Boot\\da-DK\\*.*") returned 21 [0086.239] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" [0086.239] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" [0086.239] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.239] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 0 [0086.239] FindClose (in: hFindFile=0x5c86d0 | out: hFindFile=0x5c86d0) returned 1 Thread: id = 20 os_tid = 0xd98 [0086.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*.*", lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 0x5c8710 [0086.190] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.190] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 1 [0086.190] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.190] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.190] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 1 [0086.191] lstrcpyW (in: lpString1=0x2cf0458, lpString2="\\\\?\\C:\\Boot\\de-DE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*.*") returned="\\\\?\\C:\\Boot\\de-DE\\*.*" [0086.191] lstrlenW (lpString="\\\\?\\C:\\Boot\\de-DE\\*.*") returned 21 [0086.191] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\de-DE\\How To Restore Files.hta" [0086.191] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\How To Restore Files.hta" (normalized: "c:\\boot\\de-de\\how to restore files.hta")) returned 0xffffffff [0086.191] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\How To Restore Files.hta" (normalized: "c:\\boot\\de-de\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0086.241] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x35bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x35bfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.242] CloseHandle (hObject=0x32c) returned 1 [0086.242] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.243] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.243] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\de-DE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*.*") returned="\\\\?\\C:\\Boot\\de-DE\\*.*" [0086.243] lstrlenW (lpString="\\\\?\\C:\\Boot\\de-DE\\*.*") returned 21 [0086.243] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" [0086.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" [0086.243] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.244] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 1 [0086.244] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\de-DE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*.*") returned="\\\\?\\C:\\Boot\\de-DE\\*.*" [0086.244] lstrlenW (lpString="\\\\?\\C:\\Boot\\de-DE\\*.*") returned 21 [0086.244] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\de-DE\\How To Restore Files.hta" [0086.244] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\How To Restore Files.hta" (normalized: "c:\\boot\\de-de\\how to restore files.hta")) returned 0x1 [0086.244] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.244] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\de-DE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*.*") returned="\\\\?\\C:\\Boot\\de-DE\\*.*" [0086.244] lstrlenW (lpString="\\\\?\\C:\\Boot\\de-DE\\*.*") returned 21 [0086.244] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" [0086.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" [0086.244] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\de-de\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.244] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 0 [0086.245] FindClose (in: hFindFile=0x5c8710 | out: hFindFile=0x5c8710) returned 1 Thread: id = 21 os_tid = 0xc24 [0086.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*.*", lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 0x5c8c50 [0086.194] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.194] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0086.194] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.194] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.194] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0086.195] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*.*") returned="\\\\?\\C:\\Boot\\el-GR\\*.*" [0086.195] lstrlenW (lpString="\\\\?\\C:\\Boot\\el-GR\\*.*") returned 21 [0086.195] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\el-GR\\How To Restore Files.hta" [0086.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\How To Restore Files.hta" (normalized: "c:\\boot\\el-gr\\how to restore files.hta")) returned 0xffffffff [0086.195] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\How To Restore Files.hta" (normalized: "c:\\boot\\el-gr\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0086.203] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x36ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x36ffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.204] CloseHandle (hObject=0x31c) returned 1 [0086.204] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.209] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.209] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*.*") returned="\\\\?\\C:\\Boot\\el-GR\\*.*" [0086.210] lstrlenW (lpString="\\\\?\\C:\\Boot\\el-GR\\*.*") returned 21 [0086.210] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" [0086.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" [0086.210] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.210] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0086.210] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*.*") returned="\\\\?\\C:\\Boot\\el-GR\\*.*" [0086.210] lstrlenW (lpString="\\\\?\\C:\\Boot\\el-GR\\*.*") returned 21 [0086.210] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\el-GR\\How To Restore Files.hta" [0086.210] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\How To Restore Files.hta" (normalized: "c:\\boot\\el-gr\\how to restore files.hta")) returned 0x1 [0086.210] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.210] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*.*") returned="\\\\?\\C:\\Boot\\el-GR\\*.*" [0086.211] lstrlenW (lpString="\\\\?\\C:\\Boot\\el-GR\\*.*") returned 21 [0086.211] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" [0086.211] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" [0086.211] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.211] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 0 [0086.211] FindClose (in: hFindFile=0x5c8c50 | out: hFindFile=0x5c8c50) returned 1 Thread: id = 22 os_tid = 0x6b4 [0086.192] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-GB\\*.*", lpFindFileData=0x383fd28 | out: lpFindFileData=0x383fd28) returned 0x5c8c10 [0086.213] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.220] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x383fd28 | out: lpFindFileData=0x383fd28) returned 1 [0086.220] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.220] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.220] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x383fd28 | out: lpFindFileData=0x383fd28) returned 1 [0086.220] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\en-GB\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-GB\\*.*") returned="\\\\?\\C:\\Boot\\en-GB\\*.*" [0086.220] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-GB\\*.*") returned 21 [0086.220] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-GB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\en-GB\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\en-GB\\How To Restore Files.hta" [0086.220] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\How To Restore Files.hta" (normalized: "c:\\boot\\en-gb\\how to restore files.hta")) returned 0xffffffff [0086.220] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\How To Restore Files.hta" (normalized: "c:\\boot\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0086.221] WriteFile (in: hFile=0x328, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x383fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x383fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.222] CloseHandle (hObject=0x328) returned 1 [0086.223] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.223] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.223] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.223] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-GB\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-GB\\*.*") returned="\\\\?\\C:\\Boot\\en-GB\\*.*" [0086.223] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-GB\\*.*") returned 21 [0086.223] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-GB\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" [0086.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" [0086.224] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.224] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x383fd28 | out: lpFindFileData=0x383fd28) returned 0 [0086.224] FindClose (in: hFindFile=0x5c8c10 | out: hFindFile=0x5c8c10) returned 1 Thread: id = 23 os_tid = 0xd20 [0086.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*.*", lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 0x5c8bd0 [0086.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.212] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0086.212] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.212] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0086.213] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0086.213] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\*.*") returned 21 [0086.213] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\en-US\\How To Restore Files.hta" [0086.213] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\How To Restore Files.hta" (normalized: "c:\\boot\\en-us\\how to restore files.hta")) returned 0xffffffff [0086.213] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\How To Restore Files.hta" (normalized: "c:\\boot\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0086.215] WriteFile (in: hFile=0x318, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x397fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x397fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.216] CloseHandle (hObject=0x318) returned 1 [0086.216] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.217] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.217] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0086.217] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\*.*") returned 21 [0086.217] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" [0086.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" [0086.217] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.218] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0086.218] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0086.218] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\*.*") returned 21 [0086.218] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\en-US\\How To Restore Files.hta" [0086.218] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\How To Restore Files.hta" (normalized: "c:\\boot\\en-us\\how to restore files.hta")) returned 0x1 [0086.218] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.218] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.218] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0086.218] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\*.*") returned 21 [0086.218] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" [0086.218] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" [0086.218] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\en-us\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.219] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 0 [0086.219] FindClose (in: hFindFile=0x5c8bd0 | out: hFindFile=0x5c8bd0) returned 1 Thread: id = 24 os_tid = 0x5b8 [0086.252] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*.*", lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 0x5c8bd0 [0086.253] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.253] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 1 [0086.253] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.253] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.253] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 1 [0086.254] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*.*") returned="\\\\?\\C:\\Boot\\es-ES\\*.*" [0086.254] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-ES\\*.*") returned 21 [0086.254] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\es-ES\\How To Restore Files.hta" [0086.254] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\How To Restore Files.hta" (normalized: "c:\\boot\\es-es\\how to restore files.hta")) returned 0xffffffff [0086.254] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\How To Restore Files.hta" (normalized: "c:\\boot\\es-es\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0086.285] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x3abfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3abfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.286] CloseHandle (hObject=0x308) returned 1 [0086.290] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.295] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.296] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.296] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*.*") returned="\\\\?\\C:\\Boot\\es-ES\\*.*" [0086.296] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-ES\\*.*") returned 21 [0086.296] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" [0086.296] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" [0086.296] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.296] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 1 [0086.297] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*.*") returned="\\\\?\\C:\\Boot\\es-ES\\*.*" [0086.297] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-ES\\*.*") returned 21 [0086.297] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\es-ES\\How To Restore Files.hta" [0086.297] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\How To Restore Files.hta" (normalized: "c:\\boot\\es-es\\how to restore files.hta")) returned 0x1 [0086.297] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.297] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.297] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*.*") returned="\\\\?\\C:\\Boot\\es-ES\\*.*" [0086.297] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-ES\\*.*") returned 21 [0086.297] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" [0086.297] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" [0086.297] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\es-es\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.297] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 0 [0086.297] FindClose (in: hFindFile=0x5c8bd0 | out: hFindFile=0x5c8bd0) returned 1 Thread: id = 25 os_tid = 0xdc0 [0086.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-MX\\*.*", lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 0x5c8c10 [0086.268] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.268] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 1 [0086.268] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.268] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.268] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 1 [0086.268] lstrcpyW (in: lpString1=0x2cf0458, lpString2="\\\\?\\C:\\Boot\\es-MX\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-MX\\*.*") returned="\\\\?\\C:\\Boot\\es-MX\\*.*" [0086.268] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-MX\\*.*") returned 21 [0086.268] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-MX\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\es-MX\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\es-MX\\How To Restore Files.hta" [0086.268] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\How To Restore Files.hta" (normalized: "c:\\boot\\es-mx\\how to restore files.hta")) returned 0xffffffff [0086.269] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\How To Restore Files.hta" (normalized: "c:\\boot\\es-mx\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0086.269] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x3bffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3bffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.270] CloseHandle (hObject=0x32c) returned 1 [0086.271] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.271] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.271] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.271] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\es-MX\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-MX\\*.*") returned="\\\\?\\C:\\Boot\\es-MX\\*.*" [0086.271] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-MX\\*.*") returned 21 [0086.271] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-MX\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" [0086.272] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" [0086.272] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.272] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 0 [0086.272] FindClose (in: hFindFile=0x5c8c10 | out: hFindFile=0x5c8c10) returned 1 Thread: id = 26 os_tid = 0xd34 [0086.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\et-EE\\*.*", lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 0x5c8c10 [0086.274] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.274] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0086.274] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.274] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0086.274] lstrcpyW (in: lpString1=0x2cf0458, lpString2="\\\\?\\C:\\Boot\\et-EE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\et-EE\\*.*") returned="\\\\?\\C:\\Boot\\et-EE\\*.*" [0086.274] lstrlenW (lpString="\\\\?\\C:\\Boot\\et-EE\\*.*") returned 21 [0086.274] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\et-EE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\et-EE\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\et-EE\\How To Restore Files.hta" [0086.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\How To Restore Files.hta" (normalized: "c:\\boot\\et-ee\\how to restore files.hta")) returned 0xffffffff [0086.274] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\How To Restore Files.hta" (normalized: "c:\\boot\\et-ee\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0086.275] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x3d3fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3d3fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.276] CloseHandle (hObject=0x32c) returned 1 [0086.276] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.277] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.277] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.277] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\et-EE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\et-EE\\*.*") returned="\\\\?\\C:\\Boot\\et-EE\\*.*" [0086.277] lstrlenW (lpString="\\\\?\\C:\\Boot\\et-EE\\*.*") returned 21 [0086.277] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\et-EE\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" [0086.277] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" [0086.277] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.277] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 0 [0086.277] FindClose (in: hFindFile=0x5c8c10 | out: hFindFile=0x5c8c10) returned 1 Thread: id = 27 os_tid = 0xd30 [0086.281] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 0x5c8a50 [0086.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.331] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 1 [0086.331] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.331] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.331] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 1 [0086.332] lstrcpyW (in: lpString1=0x3f28870, lpString2="\\\\?\\C:\\Boot\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned="\\\\?\\C:\\Boot\\fi-FI\\*.*" [0086.332] lstrlenW (lpString="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned 21 [0086.332] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\fi-FI\\How To Restore Files.hta" [0086.332] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\How To Restore Files.hta" (normalized: "c:\\boot\\fi-fi\\how to restore files.hta")) returned 0xffffffff [0086.332] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\How To Restore Files.hta" (normalized: "c:\\boot\\fi-fi\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0086.394] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x407fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x407fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.395] CloseHandle (hObject=0x31c) returned 1 [0086.395] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.397] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.397] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.397] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned="\\\\?\\C:\\Boot\\fi-FI\\*.*" [0086.397] lstrlenW (lpString="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned 21 [0086.397] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" [0086.397] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" [0086.397] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.397] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 1 [0086.398] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned="\\\\?\\C:\\Boot\\fi-FI\\*.*" [0086.398] lstrlenW (lpString="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned 21 [0086.398] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\fi-FI\\How To Restore Files.hta" [0086.398] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\How To Restore Files.hta" (normalized: "c:\\boot\\fi-fi\\how to restore files.hta")) returned 0x1 [0086.398] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.398] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.398] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned="\\\\?\\C:\\Boot\\fi-FI\\*.*" [0086.398] lstrlenW (lpString="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned 21 [0086.398] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" [0086.398] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" [0086.398] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.399] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 0 [0086.399] FindClose (in: hFindFile=0x5c8a50 | out: hFindFile=0x5c8a50) returned 1 Thread: id = 28 os_tid = 0xdb8 [0086.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*.*", lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 0x5c8810 [0086.586] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.586] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.586] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.586] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.586] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.587] lstrcpyW (in: lpString1=0x3ed06d8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.587] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.587] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0xffffffff [0086.587] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0086.858] WriteFile (in: hFile=0x358, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x41bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x41bfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.927] CloseHandle (hObject=0x358) returned 1 [0086.927] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.927] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="chs_boot.ttf") returned 1 [0086.928] lstrlenW (lpString="chs_boot.ttf") returned 12 [0086.928] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.928] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.928] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="chs_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" [0086.928] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" [0086.928] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\chs_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.943] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.944] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.944] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.944] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.944] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.944] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="cht_boot.ttf") returned 1 [0086.944] lstrlenW (lpString="cht_boot.ttf") returned 12 [0086.944] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.944] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.944] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="cht_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" [0086.944] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" [0086.944] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\cht_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.945] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.945] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.945] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.945] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.945] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.945] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="jpn_boot.ttf") returned -1 [0086.945] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0086.945] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.945] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.945] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="jpn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" [0086.945] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" [0086.945] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.946] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.946] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.946] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.946] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.946] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.946] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="kor_boot.ttf") returned -1 [0086.946] lstrlenW (lpString="kor_boot.ttf") returned 12 [0086.946] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.946] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.946] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="kor_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" [0086.946] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" [0086.947] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\kor_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.947] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.947] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.947] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.947] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.947] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.947] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="malgunn_boot.ttf") returned -1 [0086.947] lstrlenW (lpString="malgunn_boot.ttf") returned 16 [0086.947] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.947] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.947] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="malgunn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" [0086.947] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" [0086.947] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.949] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.949] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.949] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.949] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.949] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.949] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="malgun_boot.ttf") returned -1 [0086.949] lstrlenW (lpString="malgun_boot.ttf") returned 15 [0086.949] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.949] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.949] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="malgun_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" [0086.949] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" [0086.949] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.950] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.951] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.951] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.951] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.951] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="meiryon_boot.ttf") returned -1 [0086.951] lstrlenW (lpString="meiryon_boot.ttf") returned 16 [0086.951] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.951] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.951] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="meiryon_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" [0086.951] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" [0086.951] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.951] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.952] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.952] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.952] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.952] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.952] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="meiryo_boot.ttf") returned -1 [0086.952] lstrlenW (lpString="meiryo_boot.ttf") returned 15 [0086.952] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.952] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.952] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="meiryo_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" [0086.952] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" [0086.952] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.953] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.953] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.953] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.953] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.953] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.953] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msjhn_boot.ttf") returned -1 [0086.953] lstrlenW (lpString="msjhn_boot.ttf") returned 14 [0086.953] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.953] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.953] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="msjhn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" [0086.953] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" [0086.953] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.954] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.954] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.954] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.954] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.954] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.954] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msjh_boot.ttf") returned -1 [0086.954] lstrlenW (lpString="msjh_boot.ttf") returned 13 [0086.954] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.954] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.954] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="msjh_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" [0086.954] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" [0086.954] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.954] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.954] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.954] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.954] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.954] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.954] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msyhn_boot.ttf") returned -1 [0086.954] lstrlenW (lpString="msyhn_boot.ttf") returned 14 [0086.954] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.954] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.955] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="msyhn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" [0086.955] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" [0086.955] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.955] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.955] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.955] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.955] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.955] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.955] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msyh_boot.ttf") returned -1 [0086.955] lstrlenW (lpString="msyh_boot.ttf") returned 13 [0086.955] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.955] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.955] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="msyh_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" [0086.955] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" [0086.955] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.956] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.956] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.956] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.956] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.956] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.956] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="segmono_boot.ttf") returned -1 [0086.956] lstrlenW (lpString="segmono_boot.ttf") returned 16 [0086.956] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.956] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.956] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="segmono_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" [0086.956] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" [0086.956] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.957] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.957] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.957] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.957] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.957] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.957] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="segoen_slboot.ttf") returned -1 [0086.957] lstrlenW (lpString="segoen_slboot.ttf") returned 17 [0086.957] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.957] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.957] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="segoen_slboot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" [0086.957] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" [0086.957] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.957] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.957] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.957] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.957] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.957] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.958] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="segoe_slboot.ttf") returned -1 [0086.958] lstrlenW (lpString="segoe_slboot.ttf") returned 16 [0086.958] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.958] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.958] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="segoe_slboot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" [0086.958] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" [0086.958] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.958] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0086.958] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.958] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.958] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" [0086.958] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\How To Restore Files.hta" (normalized: "c:\\boot\\fonts\\how to restore files.hta")) returned 0x1 [0086.958] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wgl4_boot.ttf") returned -1 [0086.958] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0086.958] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0086.958] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0086.958] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="wgl4_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" [0086.958] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" [0086.958] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf id-Br3n0G72wUb8CejT.LyaS" [0086.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf id-br3n0g72wub8cejt.lyas")) returned 0 [0086.959] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 0 [0086.959] FindClose (in: hFindFile=0x5c8810 | out: hFindFile=0x5c8810) returned 1 Thread: id = 29 os_tid = 0xd44 [0086.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-CA\\*.*", lpFindFileData=0x42ffd28 | out: lpFindFileData=0x42ffd28) returned 0x5c8a90 [0086.333] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.333] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x42ffd28 | out: lpFindFileData=0x42ffd28) returned 1 [0086.333] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.333] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.333] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x42ffd28 | out: lpFindFileData=0x42ffd28) returned 1 [0086.334] lstrcpyW (in: lpString1=0x3e183f0, lpString2="\\\\?\\C:\\Boot\\fr-CA\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA\\*.*") returned="\\\\?\\C:\\Boot\\fr-CA\\*.*" [0086.334] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-CA\\*.*") returned 21 [0086.334] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-CA\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\fr-CA\\How To Restore Files.hta" [0086.334] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\How To Restore Files.hta" (normalized: "c:\\boot\\fr-ca\\how to restore files.hta")) returned 0xffffffff [0086.334] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\How To Restore Files.hta" (normalized: "c:\\boot\\fr-ca\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0086.335] WriteFile (in: hFile=0x300, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x42ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x42ffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.336] CloseHandle (hObject=0x300) returned 1 [0086.337] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.337] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.337] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fr-CA\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA\\*.*") returned="\\\\?\\C:\\Boot\\fr-CA\\*.*" [0086.337] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-CA\\*.*") returned 21 [0086.337] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-CA\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" [0086.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" [0086.337] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.338] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x42ffd28 | out: lpFindFileData=0x42ffd28) returned 0 [0086.338] FindClose (in: hFindFile=0x5c8a90 | out: hFindFile=0x5c8a90) returned 1 Thread: id = 30 os_tid = 0xd18 [0086.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x443fd28 | out: lpFindFileData=0x443fd28) returned 0x5c89d0 [0086.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.321] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x443fd28 | out: lpFindFileData=0x443fd28) returned 1 [0086.321] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.321] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x443fd28 | out: lpFindFileData=0x443fd28) returned 1 [0086.321] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Boot\\fr-FR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned="\\\\?\\C:\\Boot\\fr-FR\\*.*" [0086.321] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned 21 [0086.321] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\fr-FR\\How To Restore Files.hta" [0086.321] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\How To Restore Files.hta" (normalized: "c:\\boot\\fr-fr\\how to restore files.hta")) returned 0xffffffff [0086.322] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\How To Restore Files.hta" (normalized: "c:\\boot\\fr-fr\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0086.384] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x443fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x443fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.385] CloseHandle (hObject=0x32c) returned 1 [0086.385] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.386] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.386] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.386] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fr-FR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned="\\\\?\\C:\\Boot\\fr-FR\\*.*" [0086.386] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned 21 [0086.386] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" [0086.386] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" [0086.386] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.386] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x443fd28 | out: lpFindFileData=0x443fd28) returned 1 [0086.386] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Boot\\fr-FR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned="\\\\?\\C:\\Boot\\fr-FR\\*.*" [0086.386] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned 21 [0086.386] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\fr-FR\\How To Restore Files.hta" [0086.387] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\How To Restore Files.hta" (normalized: "c:\\boot\\fr-fr\\how to restore files.hta")) returned 0x1 [0086.387] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.387] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fr-FR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned="\\\\?\\C:\\Boot\\fr-FR\\*.*" [0086.387] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned 21 [0086.387] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" [0086.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" [0086.387] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.387] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x443fd28 | out: lpFindFileData=0x443fd28) returned 0 [0086.387] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 31 os_tid = 0xd28 [0086.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hr-HR\\*.*", lpFindFileData=0x457fd28 | out: lpFindFileData=0x457fd28) returned 0x5c89d0 [0086.315] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.315] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x457fd28 | out: lpFindFileData=0x457fd28) returned 1 [0086.315] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.315] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.315] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x457fd28 | out: lpFindFileData=0x457fd28) returned 1 [0086.317] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Boot\\hr-HR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR\\*.*") returned="\\\\?\\C:\\Boot\\hr-HR\\*.*" [0086.317] lstrlenW (lpString="\\\\?\\C:\\Boot\\hr-HR\\*.*") returned 21 [0086.317] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hr-HR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\hr-HR\\How To Restore Files.hta" [0086.317] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\How To Restore Files.hta" (normalized: "c:\\boot\\hr-hr\\how to restore files.hta")) returned 0xffffffff [0086.317] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\How To Restore Files.hta" (normalized: "c:\\boot\\hr-hr\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0086.318] WriteFile (in: hFile=0x328, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x457fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x457fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.319] CloseHandle (hObject=0x328) returned 1 [0086.319] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.320] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.320] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.320] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\hr-HR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR\\*.*") returned="\\\\?\\C:\\Boot\\hr-HR\\*.*" [0086.320] lstrlenW (lpString="\\\\?\\C:\\Boot\\hr-HR\\*.*") returned 21 [0086.320] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hr-HR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" [0086.320] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" [0086.320] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.320] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.320] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x457fd28 | out: lpFindFileData=0x457fd28) returned 0 [0086.320] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 32 os_tid = 0xd2c [0086.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 0x5c8910 [0086.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.314] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 1 [0086.314] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.314] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.314] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 1 [0086.314] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\hu-HU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned="\\\\?\\C:\\Boot\\hu-HU\\*.*" [0086.314] lstrlenW (lpString="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned 21 [0086.314] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\hu-HU\\How To Restore Files.hta" [0086.314] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\How To Restore Files.hta" (normalized: "c:\\boot\\hu-hu\\how to restore files.hta")) returned 0xffffffff [0086.314] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\How To Restore Files.hta" (normalized: "c:\\boot\\hu-hu\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0086.371] WriteFile (in: hFile=0x30c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x46bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x46bfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.372] CloseHandle (hObject=0x30c) returned 1 [0086.372] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.373] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.373] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\hu-HU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned="\\\\?\\C:\\Boot\\hu-HU\\*.*" [0086.373] lstrlenW (lpString="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned 21 [0086.373] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" [0086.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" [0086.373] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.373] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 1 [0086.374] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\hu-HU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned="\\\\?\\C:\\Boot\\hu-HU\\*.*" [0086.374] lstrlenW (lpString="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned 21 [0086.374] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\hu-HU\\How To Restore Files.hta" [0086.374] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\How To Restore Files.hta" (normalized: "c:\\boot\\hu-hu\\how to restore files.hta")) returned 0x1 [0086.374] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.374] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\hu-HU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned="\\\\?\\C:\\Boot\\hu-HU\\*.*" [0086.374] lstrlenW (lpString="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned 21 [0086.374] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" [0086.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" [0086.374] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.375] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 0 [0086.375] FindClose (in: hFindFile=0x5c8910 | out: hFindFile=0x5c8910) returned 1 Thread: id = 33 os_tid = 0xd1c [0086.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*.*", lpFindFileData=0x480fd28 | out: lpFindFileData=0x480fd28) returned 0x5c8850 [0086.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.311] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x480fd28 | out: lpFindFileData=0x480fd28) returned 1 [0086.311] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.311] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.312] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x480fd28 | out: lpFindFileData=0x480fd28) returned 1 [0086.312] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Boot\\it-IT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*.*") returned="\\\\?\\C:\\Boot\\it-IT\\*.*" [0086.312] lstrlenW (lpString="\\\\?\\C:\\Boot\\it-IT\\*.*") returned 21 [0086.312] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\it-IT\\How To Restore Files.hta" [0086.312] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\How To Restore Files.hta" (normalized: "c:\\boot\\it-it\\how to restore files.hta")) returned 0xffffffff [0086.313] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\How To Restore Files.hta" (normalized: "c:\\boot\\it-it\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0086.362] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x480fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x480fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.363] CloseHandle (hObject=0x308) returned 1 [0086.363] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.364] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.364] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.364] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\it-IT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*.*") returned="\\\\?\\C:\\Boot\\it-IT\\*.*" [0086.364] lstrlenW (lpString="\\\\?\\C:\\Boot\\it-IT\\*.*") returned 21 [0086.364] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" [0086.364] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" [0086.364] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.364] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x480fd28 | out: lpFindFileData=0x480fd28) returned 1 [0086.364] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Boot\\it-IT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*.*") returned="\\\\?\\C:\\Boot\\it-IT\\*.*" [0086.364] lstrlenW (lpString="\\\\?\\C:\\Boot\\it-IT\\*.*") returned 21 [0086.364] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\it-IT\\How To Restore Files.hta" [0086.364] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\How To Restore Files.hta" (normalized: "c:\\boot\\it-it\\how to restore files.hta")) returned 0x1 [0086.365] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.365] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\it-IT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*.*") returned="\\\\?\\C:\\Boot\\it-IT\\*.*" [0086.365] lstrlenW (lpString="\\\\?\\C:\\Boot\\it-IT\\*.*") returned 21 [0086.365] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" [0086.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" [0086.365] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\it-it\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.365] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x480fd28 | out: lpFindFileData=0x480fd28) returned 0 [0086.365] FindClose (in: hFindFile=0x5c8850 | out: hFindFile=0x5c8850) returned 1 Thread: id = 34 os_tid = 0xd14 [0086.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x494fd28 | out: lpFindFileData=0x494fd28) returned 0x5c8890 [0086.305] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.310] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x494fd28 | out: lpFindFileData=0x494fd28) returned 1 [0086.310] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.310] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x494fd28 | out: lpFindFileData=0x494fd28) returned 1 [0086.310] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\ja-JP\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned="\\\\?\\C:\\Boot\\ja-JP\\*.*" [0086.310] lstrlenW (lpString="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned 21 [0086.310] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\ja-JP\\How To Restore Files.hta" [0086.310] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\How To Restore Files.hta" (normalized: "c:\\boot\\ja-jp\\how to restore files.hta")) returned 0xffffffff [0086.311] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\How To Restore Files.hta" (normalized: "c:\\boot\\ja-jp\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0086.355] WriteFile (in: hFile=0x2e4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x494fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x494fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.356] CloseHandle (hObject=0x2e4) returned 1 [0086.357] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.357] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.357] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.357] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ja-JP\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned="\\\\?\\C:\\Boot\\ja-JP\\*.*" [0086.357] lstrlenW (lpString="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned 21 [0086.358] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" [0086.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" [0086.358] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.358] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x494fd28 | out: lpFindFileData=0x494fd28) returned 1 [0086.358] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\ja-JP\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned="\\\\?\\C:\\Boot\\ja-JP\\*.*" [0086.358] lstrlenW (lpString="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned 21 [0086.358] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\ja-JP\\How To Restore Files.hta" [0086.358] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\How To Restore Files.hta" (normalized: "c:\\boot\\ja-jp\\how to restore files.hta")) returned 0x1 [0086.358] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.358] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ja-JP\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned="\\\\?\\C:\\Boot\\ja-JP\\*.*" [0086.358] lstrlenW (lpString="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned 21 [0086.358] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" [0086.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" [0086.358] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.359] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x494fd28 | out: lpFindFileData=0x494fd28) returned 0 [0086.359] FindClose (in: hFindFile=0x5c8890 | out: hFindFile=0x5c8890) returned 1 Thread: id = 35 os_tid = 0xde8 [0086.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x4a8fd28 | out: lpFindFileData=0x4a8fd28) returned 0x5c8850 [0086.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.303] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x4a8fd28 | out: lpFindFileData=0x4a8fd28) returned 1 [0086.303] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.303] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.303] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x4a8fd28 | out: lpFindFileData=0x4a8fd28) returned 1 [0086.303] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\ko-KR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned="\\\\?\\C:\\Boot\\ko-KR\\*.*" [0086.303] lstrlenW (lpString="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned 21 [0086.304] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\ko-KR\\How To Restore Files.hta" [0086.304] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\How To Restore Files.hta" (normalized: "c:\\boot\\ko-kr\\how to restore files.hta")) returned 0xffffffff [0086.304] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\How To Restore Files.hta" (normalized: "c:\\boot\\ko-kr\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0086.306] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4a8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4a8fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.307] CloseHandle (hObject=0x32c) returned 1 [0086.307] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.308] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.308] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ko-KR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned="\\\\?\\C:\\Boot\\ko-KR\\*.*" [0086.308] lstrlenW (lpString="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned 21 [0086.308] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" [0086.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" [0086.308] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.308] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x4a8fd28 | out: lpFindFileData=0x4a8fd28) returned 1 [0086.308] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Boot\\ko-KR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned="\\\\?\\C:\\Boot\\ko-KR\\*.*" [0086.308] lstrlenW (lpString="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned 21 [0086.308] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\ko-KR\\How To Restore Files.hta" [0086.308] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\How To Restore Files.hta" (normalized: "c:\\boot\\ko-kr\\how to restore files.hta")) returned 0x1 [0086.309] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.309] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ko-KR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned="\\\\?\\C:\\Boot\\ko-KR\\*.*" [0086.309] lstrlenW (lpString="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned 21 [0086.309] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" [0086.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" [0086.309] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.309] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x4a8fd28 | out: lpFindFileData=0x4a8fd28) returned 0 [0086.309] FindClose (in: hFindFile=0x5c8850 | out: hFindFile=0x5c8850) returned 1 Thread: id = 36 os_tid = 0x788 [0086.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\lt-LT\\*.*", lpFindFileData=0x4bcfd28 | out: lpFindFileData=0x4bcfd28) returned 0x5c8a90 [0086.339] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.339] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x4bcfd28 | out: lpFindFileData=0x4bcfd28) returned 1 [0086.339] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.339] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x4bcfd28 | out: lpFindFileData=0x4bcfd28) returned 1 [0086.339] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\lt-LT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT\\*.*") returned="\\\\?\\C:\\Boot\\lt-LT\\*.*" [0086.339] lstrlenW (lpString="\\\\?\\C:\\Boot\\lt-LT\\*.*") returned 21 [0086.339] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lt-LT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\lt-LT\\How To Restore Files.hta" [0086.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\How To Restore Files.hta" (normalized: "c:\\boot\\lt-lt\\how to restore files.hta")) returned 0xffffffff [0086.339] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\How To Restore Files.hta" (normalized: "c:\\boot\\lt-lt\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0086.340] WriteFile (in: hFile=0x300, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4bcfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4bcfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.341] CloseHandle (hObject=0x300) returned 1 [0086.341] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.341] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.341] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\lt-LT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT\\*.*") returned="\\\\?\\C:\\Boot\\lt-LT\\*.*" [0086.341] lstrlenW (lpString="\\\\?\\C:\\Boot\\lt-LT\\*.*") returned 21 [0086.341] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lt-LT\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" [0086.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" [0086.342] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.342] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x4bcfd28 | out: lpFindFileData=0x4bcfd28) returned 0 [0086.342] FindClose (in: hFindFile=0x5c8a90 | out: hFindFile=0x5c8a90) returned 1 Thread: id = 37 os_tid = 0x65c [0086.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\lv-LV\\*.*", lpFindFileData=0x4d0fd28 | out: lpFindFileData=0x4d0fd28) returned 0x5c8a50 [0086.323] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.323] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x4d0fd28 | out: lpFindFileData=0x4d0fd28) returned 1 [0086.323] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.323] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x4d0fd28 | out: lpFindFileData=0x4d0fd28) returned 1 [0086.323] lstrcpyW (in: lpString1=0x3f28870, lpString2="\\\\?\\C:\\Boot\\lv-LV\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV\\*.*") returned="\\\\?\\C:\\Boot\\lv-LV\\*.*" [0086.323] lstrlenW (lpString="\\\\?\\C:\\Boot\\lv-LV\\*.*") returned 21 [0086.323] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lv-LV\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\lv-LV\\How To Restore Files.hta" [0086.323] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\How To Restore Files.hta" (normalized: "c:\\boot\\lv-lv\\how to restore files.hta")) returned 0xffffffff [0086.323] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\How To Restore Files.hta" (normalized: "c:\\boot\\lv-lv\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0086.324] WriteFile (in: hFile=0x318, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4d0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4d0fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.325] CloseHandle (hObject=0x318) returned 1 [0086.325] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.325] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.325] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.325] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\lv-LV\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV\\*.*") returned="\\\\?\\C:\\Boot\\lv-LV\\*.*" [0086.326] lstrlenW (lpString="\\\\?\\C:\\Boot\\lv-LV\\*.*") returned 21 [0086.326] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lv-LV\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" [0086.326] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" [0086.326] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.326] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x4d0fd28 | out: lpFindFileData=0x4d0fd28) returned 0 [0086.326] FindClose (in: hFindFile=0x5c8a50 | out: hFindFile=0x5c8a50) returned 1 Thread: id = 38 os_tid = 0x924 [0086.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x4e4fd28 | out: lpFindFileData=0x4e4fd28) returned 0x5c8a90 [0086.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.344] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x4e4fd28 | out: lpFindFileData=0x4e4fd28) returned 1 [0086.344] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.344] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.344] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x4e4fd28 | out: lpFindFileData=0x4e4fd28) returned 1 [0086.345] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\nb-NO\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned="\\\\?\\C:\\Boot\\nb-NO\\*.*" [0086.345] lstrlenW (lpString="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned 21 [0086.345] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\nb-NO\\How To Restore Files.hta" [0086.345] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\How To Restore Files.hta" (normalized: "c:\\boot\\nb-no\\how to restore files.hta")) returned 0xffffffff [0086.345] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\How To Restore Files.hta" (normalized: "c:\\boot\\nb-no\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0086.557] WriteFile (in: hFile=0x2e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4e4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4e4fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.558] CloseHandle (hObject=0x2e8) returned 1 [0086.558] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.559] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.559] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.559] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nb-NO\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned="\\\\?\\C:\\Boot\\nb-NO\\*.*" [0086.559] lstrlenW (lpString="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned 21 [0086.559] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" [0086.559] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" [0086.559] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.559] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x4e4fd28 | out: lpFindFileData=0x4e4fd28) returned 1 [0086.559] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\nb-NO\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned="\\\\?\\C:\\Boot\\nb-NO\\*.*" [0086.559] lstrlenW (lpString="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned 21 [0086.560] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\nb-NO\\How To Restore Files.hta" [0086.560] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\How To Restore Files.hta" (normalized: "c:\\boot\\nb-no\\how to restore files.hta")) returned 0x1 [0086.560] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.560] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.560] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nb-NO\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned="\\\\?\\C:\\Boot\\nb-NO\\*.*" [0086.560] lstrlenW (lpString="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned 21 [0086.560] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" [0086.560] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" [0086.560] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.561] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x4e4fd28 | out: lpFindFileData=0x4e4fd28) returned 0 [0086.561] FindClose (in: hFindFile=0x5c8a90 | out: hFindFile=0x5c8a90) returned 1 Thread: id = 39 os_tid = 0xdac [0086.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 0x5c8c10 [0086.555] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.555] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0086.555] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.555] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0086.555] lstrcpyW (in: lpString1=0x3ec86d0, lpString2="\\\\?\\C:\\Boot\\nl-NL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned="\\\\?\\C:\\Boot\\nl-NL\\*.*" [0086.555] lstrlenW (lpString="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned 21 [0086.555] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\nl-NL\\How To Restore Files.hta" [0086.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\How To Restore Files.hta" (normalized: "c:\\boot\\nl-nl\\how to restore files.hta")) returned 0xffffffff [0086.556] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\How To Restore Files.hta" (normalized: "c:\\boot\\nl-nl\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0086.854] WriteFile (in: hFile=0x2f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4f8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4f8fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.868] CloseHandle (hObject=0x2f0) returned 1 [0086.879] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.879] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.879] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.879] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nl-NL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned="\\\\?\\C:\\Boot\\nl-NL\\*.*" [0086.880] lstrlenW (lpString="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned 21 [0086.880] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" [0086.880] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" [0086.880] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.880] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0086.880] lstrcpyW (in: lpString1=0x3ec86d0, lpString2="\\\\?\\C:\\Boot\\nl-NL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned="\\\\?\\C:\\Boot\\nl-NL\\*.*" [0086.880] lstrlenW (lpString="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned 21 [0086.880] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\nl-NL\\How To Restore Files.hta" [0086.880] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\How To Restore Files.hta" (normalized: "c:\\boot\\nl-nl\\how to restore files.hta")) returned 0x1 [0086.880] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.880] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.880] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nl-NL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned="\\\\?\\C:\\Boot\\nl-NL\\*.*" [0086.880] lstrlenW (lpString="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned 21 [0086.880] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" [0086.880] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" [0086.880] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.881] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 0 [0086.881] FindClose (in: hFindFile=0x5c8c10 | out: hFindFile=0x5c8c10) returned 1 Thread: id = 40 os_tid = 0xdb0 [0086.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 0x5c8bd0 [0086.553] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.553] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0086.553] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.553] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.554] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0086.554] lstrcpyW (in: lpString1=0x3ec06c8, lpString2="\\\\?\\C:\\Boot\\pl-PL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned="\\\\?\\C:\\Boot\\pl-PL\\*.*" [0086.554] lstrlenW (lpString="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned 21 [0086.554] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\pl-PL\\How To Restore Files.hta" [0086.554] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\How To Restore Files.hta" (normalized: "c:\\boot\\pl-pl\\how to restore files.hta")) returned 0xffffffff [0086.554] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\How To Restore Files.hta" (normalized: "c:\\boot\\pl-pl\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0086.854] WriteFile (in: hFile=0x238, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x50cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.867] CloseHandle (hObject=0x238) returned 1 [0086.881] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.882] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.882] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.882] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pl-PL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned="\\\\?\\C:\\Boot\\pl-PL\\*.*" [0086.882] lstrlenW (lpString="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned 21 [0086.882] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" [0086.882] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" [0086.882] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.882] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0086.882] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\pl-PL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned="\\\\?\\C:\\Boot\\pl-PL\\*.*" [0086.883] lstrlenW (lpString="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned 21 [0086.883] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\pl-PL\\How To Restore Files.hta" [0086.883] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\How To Restore Files.hta" (normalized: "c:\\boot\\pl-pl\\how to restore files.hta")) returned 0x1 [0086.883] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.883] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.883] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pl-PL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned="\\\\?\\C:\\Boot\\pl-PL\\*.*" [0086.883] lstrlenW (lpString="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned 21 [0086.883] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" [0086.883] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" [0086.883] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.883] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 0 [0086.883] FindClose (in: hFindFile=0x5c8bd0 | out: hFindFile=0x5c8bd0) returned 1 Thread: id = 41 os_tid = 0xdb4 [0086.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 0x5c8b90 [0086.552] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.552] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0086.552] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.552] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.552] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0086.552] lstrcpyW (in: lpString1=0x3e10398, lpString2="\\\\?\\C:\\Boot\\pt-BR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned="\\\\?\\C:\\Boot\\pt-BR\\*.*" [0086.552] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned 21 [0086.552] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\pt-BR\\How To Restore Files.hta" [0086.552] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\How To Restore Files.hta" (normalized: "c:\\boot\\pt-br\\how to restore files.hta")) returned 0xffffffff [0086.552] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\How To Restore Files.hta" (normalized: "c:\\boot\\pt-br\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0086.855] WriteFile (in: hFile=0x22c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x520fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x520fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.866] CloseHandle (hObject=0x22c) returned 1 [0086.890] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.891] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.891] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-BR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned="\\\\?\\C:\\Boot\\pt-BR\\*.*" [0086.891] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned 21 [0086.891] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" [0086.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" [0086.891] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.891] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0086.892] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\pt-BR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned="\\\\?\\C:\\Boot\\pt-BR\\*.*" [0086.892] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned 21 [0086.892] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\pt-BR\\How To Restore Files.hta" [0086.892] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\How To Restore Files.hta" (normalized: "c:\\boot\\pt-br\\how to restore files.hta")) returned 0x1 [0086.892] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.892] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-BR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned="\\\\?\\C:\\Boot\\pt-BR\\*.*" [0086.893] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned 21 [0086.893] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" [0086.893] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" [0086.893] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.893] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 0 [0086.893] FindClose (in: hFindFile=0x5c8b90 | out: hFindFile=0x5c8b90) returned 1 Thread: id = 42 os_tid = 0xcbc [0086.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 0x5c8b50 [0086.549] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.549] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 1 [0086.549] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.549] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.549] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 1 [0086.550] lstrcpyW (in: lpString1=0x3e08390, lpString2="\\\\?\\C:\\Boot\\pt-PT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned="\\\\?\\C:\\Boot\\pt-PT\\*.*" [0086.550] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned 21 [0086.550] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\pt-PT\\How To Restore Files.hta" [0086.550] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\How To Restore Files.hta" (normalized: "c:\\boot\\pt-pt\\how to restore files.hta")) returned 0xffffffff [0086.551] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\How To Restore Files.hta" (normalized: "c:\\boot\\pt-pt\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a4 [0086.855] WriteFile (in: hFile=0x2a4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x534fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x534fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.865] CloseHandle (hObject=0x2a4) returned 1 [0086.895] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.895] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.895] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.895] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-PT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned="\\\\?\\C:\\Boot\\pt-PT\\*.*" [0086.895] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned 21 [0086.895] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" [0086.895] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" [0086.895] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.896] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 1 [0086.896] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\pt-PT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned="\\\\?\\C:\\Boot\\pt-PT\\*.*" [0086.896] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned 21 [0086.896] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\pt-PT\\How To Restore Files.hta" [0086.896] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\How To Restore Files.hta" (normalized: "c:\\boot\\pt-pt\\how to restore files.hta")) returned 0x1 [0086.896] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.896] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.896] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-PT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned="\\\\?\\C:\\Boot\\pt-PT\\*.*" [0086.896] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned 21 [0086.896] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" [0086.896] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" [0086.897] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.897] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 0 [0086.897] FindClose (in: hFindFile=0x5c8b50 | out: hFindFile=0x5c8b50) returned 1 Thread: id = 43 os_tid = 0xd04 [0086.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\*.*", lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 0x5c8b10 [0086.547] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.547] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0086.547] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.547] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.547] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0086.547] lstrcpyW (in: lpString1=0x3f28870, lpString2="\\\\?\\C:\\Boot\\qps-ploc\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned="\\\\?\\C:\\Boot\\qps-ploc\\*.*" [0086.547] lstrlenW (lpString="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned 24 [0086.547] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\qps-ploc\\How To Restore Files.hta" [0086.547] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\How To Restore Files.hta" (normalized: "c:\\boot\\qps-ploc\\how to restore files.hta")) returned 0xffffffff [0086.547] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\How To Restore Files.hta" (normalized: "c:\\boot\\qps-ploc\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a0 [0086.855] WriteFile (in: hFile=0x2a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x548fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x548fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.864] CloseHandle (hObject=0x2a0) returned 1 [0086.898] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.899] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.899] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.899] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\qps-ploc\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned="\\\\?\\C:\\Boot\\qps-ploc\\*.*" [0086.899] lstrlenW (lpString="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned 24 [0086.899] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" [0086.899] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" [0086.899] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.900] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0086.900] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\qps-ploc\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned="\\\\?\\C:\\Boot\\qps-ploc\\*.*" [0086.900] lstrlenW (lpString="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned 24 [0086.900] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\qps-ploc\\How To Restore Files.hta" [0086.900] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\How To Restore Files.hta" (normalized: "c:\\boot\\qps-ploc\\how to restore files.hta")) returned 0x1 [0086.900] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.900] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.900] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\qps-ploc\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned="\\\\?\\C:\\Boot\\qps-ploc\\*.*" [0086.900] lstrlenW (lpString="\\\\?\\C:\\Boot\\qps-ploc\\*.*") returned 24 [0086.900] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" [0086.900] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" [0086.900] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.901] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 0 [0086.901] FindClose (in: hFindFile=0x5c8b10 | out: hFindFile=0x5c8b10) returned 1 Thread: id = 44 os_tid = 0xc68 [0086.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Resources\\*.*", lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 0x5c8b50 [0086.542] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.542] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 1 [0086.542] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.542] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.542] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 1 [0086.542] lstrcpyW (in: lpString1=0x3f28870, lpString2="\\\\?\\C:\\Boot\\Resources\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\*.*") returned="\\\\?\\C:\\Boot\\Resources\\*.*" [0086.542] lstrlenW (lpString="\\\\?\\C:\\Boot\\Resources\\*.*") returned 25 [0086.542] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Resources\\How To Restore Files.hta" [0086.542] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\How To Restore Files.hta" (normalized: "c:\\boot\\resources\\how to restore files.hta")) returned 0xffffffff [0086.542] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\How To Restore Files.hta" (normalized: "c:\\boot\\resources\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0086.543] WriteFile (in: hFile=0x310, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x55cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x55cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.544] CloseHandle (hObject=0x310) returned 1 [0086.544] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.545] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootres.dll") returned 1 [0086.545] lstrlenW (lpString="bootres.dll") returned 11 [0086.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Resources\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\*.*") returned="\\\\?\\C:\\Boot\\Resources\\*.*" [0086.545] lstrlenW (lpString="\\\\?\\C:\\Boot\\Resources\\*.*") returned 25 [0086.545] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\", lpString2="bootres.dll" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\bootres.dll") returned="\\\\?\\C:\\Boot\\Resources\\bootres.dll" [0086.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Resources\\bootres.dll" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\bootres.dll") returned="\\\\?\\C:\\Boot\\Resources\\bootres.dll" [0086.545] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\bootres.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\bootres.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Resources\\bootres.dll id-Br3n0G72wUb8CejT.LyaS" [0086.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), lpNewFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\resources\\bootres.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0086.545] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 1 [0086.545] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0086.545] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0086.545] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0086.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Resources\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\*.*") returned="\\\\?\\C:\\Boot\\Resources\\*.*" [0086.545] lstrlenW (lpString="\\\\?\\C:\\Boot\\Resources\\*.*") returned 25 [0086.545] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US") returned="\\\\?\\C:\\Boot\\Resources\\en-US" [0086.545] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*" [0086.545] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ed8730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x310 [0086.546] CloseHandle (hObject=0x310) returned 1 [0086.546] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 0 [0086.546] FindClose (in: hFindFile=0x5c8b50 | out: hFindFile=0x5c8b50) returned 1 Thread: id = 45 os_tid = 0xda8 [0086.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ro-RO\\*.*", lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 0x5c8b90 [0086.538] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.538] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0086.538] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.538] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.538] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0086.538] lstrcpyW (in: lpString1=0x3f28870, lpString2="\\\\?\\C:\\Boot\\ro-RO\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO\\*.*") returned="\\\\?\\C:\\Boot\\ro-RO\\*.*" [0086.538] lstrlenW (lpString="\\\\?\\C:\\Boot\\ro-RO\\*.*") returned 21 [0086.538] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ro-RO\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\ro-RO\\How To Restore Files.hta" [0086.538] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\How To Restore Files.hta" (normalized: "c:\\boot\\ro-ro\\how to restore files.hta")) returned 0xffffffff [0086.538] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\How To Restore Files.hta" (normalized: "c:\\boot\\ro-ro\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0086.539] WriteFile (in: hFile=0x310, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x570fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x570fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.540] CloseHandle (hObject=0x310) returned 1 [0086.540] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.540] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.540] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.540] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ro-RO\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO\\*.*") returned="\\\\?\\C:\\Boot\\ro-RO\\*.*" [0086.540] lstrlenW (lpString="\\\\?\\C:\\Boot\\ro-RO\\*.*") returned 21 [0086.540] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ro-RO\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" [0086.541] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" [0086.541] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.541] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 0 [0086.541] FindClose (in: hFindFile=0x5c8b90 | out: hFindFile=0x5c8b90) returned 1 Thread: id = 46 os_tid = 0xc20 [0086.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 0x5c87d0 [0086.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.535] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0086.535] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.535] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.535] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0086.536] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Boot\\ru-RU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned="\\\\?\\C:\\Boot\\ru-RU\\*.*" [0086.536] lstrlenW (lpString="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned 21 [0086.537] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\ru-RU\\How To Restore Files.hta" [0086.537] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\How To Restore Files.hta" (normalized: "c:\\boot\\ru-ru\\how to restore files.hta")) returned 0xffffffff [0086.537] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\How To Restore Files.hta" (normalized: "c:\\boot\\ru-ru\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0086.855] WriteFile (in: hFile=0x28c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x584fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x584fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.863] CloseHandle (hObject=0x28c) returned 1 [0086.904] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.907] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.907] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.907] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ru-RU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned="\\\\?\\C:\\Boot\\ru-RU\\*.*" [0086.907] lstrlenW (lpString="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned 21 [0086.907] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" [0086.907] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" [0086.907] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.908] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0086.909] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\ru-RU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned="\\\\?\\C:\\Boot\\ru-RU\\*.*" [0086.909] lstrlenW (lpString="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned 21 [0086.909] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\ru-RU\\How To Restore Files.hta" [0086.909] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\How To Restore Files.hta" (normalized: "c:\\boot\\ru-ru\\how to restore files.hta")) returned 0x1 [0086.909] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.909] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ru-RU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned="\\\\?\\C:\\Boot\\ru-RU\\*.*" [0086.909] lstrlenW (lpString="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned 21 [0086.909] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" [0086.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" [0086.909] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.910] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 0 [0086.910] FindClose (in: hFindFile=0x5c87d0 | out: hFindFile=0x5c87d0) returned 1 Thread: id = 47 os_tid = 0xadc [0086.350] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sk-SK\\*.*", lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 0x5c8c50 [0086.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.578] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 1 [0086.578] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.578] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.578] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 1 [0086.578] lstrcpyW (in: lpString1=0x3ed06d8, lpString2="\\\\?\\C:\\Boot\\sk-SK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK\\*.*") returned="\\\\?\\C:\\Boot\\sk-SK\\*.*" [0086.579] lstrlenW (lpString="\\\\?\\C:\\Boot\\sk-SK\\*.*") returned 21 [0086.579] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sk-SK\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\sk-SK\\How To Restore Files.hta" [0086.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\How To Restore Files.hta" (normalized: "c:\\boot\\sk-sk\\how to restore files.hta")) returned 0xffffffff [0086.579] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\How To Restore Files.hta" (normalized: "c:\\boot\\sk-sk\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0086.579] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x598fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x598fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.581] CloseHandle (hObject=0x33c) returned 1 [0086.581] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.581] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.581] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.581] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sk-SK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK\\*.*") returned="\\\\?\\C:\\Boot\\sk-SK\\*.*" [0086.582] lstrlenW (lpString="\\\\?\\C:\\Boot\\sk-SK\\*.*") returned 21 [0086.582] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sk-SK\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" [0086.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" [0086.582] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.582] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 0 [0086.582] FindClose (in: hFindFile=0x5c8c50 | out: hFindFile=0x5c8c50) returned 1 Thread: id = 48 os_tid = 0xc1c [0086.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*.*", lpFindFileData=0x5ecfd28 | out: lpFindFileData=0x5ecfd28) returned 0x5c86d0 [0086.351] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.351] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x5ecfd28 | out: lpFindFileData=0x5ecfd28) returned 1 [0086.351] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.351] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x5ecfd28 | out: lpFindFileData=0x5ecfd28) returned 0 [0086.351] FindClose (in: hFindFile=0x5c86d0 | out: hFindFile=0x5c86d0) returned 1 Thread: id = 49 os_tid = 0x148 [0086.379] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*.*", lpFindFileData=0x600fd28 | out: lpFindFileData=0x600fd28) returned 0xffffffff Thread: id = 50 os_tid = 0x79c [0086.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*.*", lpFindFileData=0x614fd28 | out: lpFindFileData=0x614fd28) returned 0x5c8b90 [0086.389] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.389] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x614fd28 | out: lpFindFileData=0x614fd28) returned 1 [0086.389] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.389] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.389] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x614fd28 | out: lpFindFileData=0x614fd28) returned 0 [0086.389] FindClose (in: hFindFile=0x5c8b90 | out: hFindFile=0x5c8b90) returned 1 Thread: id = 51 os_tid = 0x4f8 [0086.399] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\*.*", lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 0x5c86d0 [0086.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.400] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.400] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.400] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.400] lstrcmpW (lpString1=".", lpString2="Common Files") returned -1 [0086.400] lstrcmpW (lpString1="..", lpString2="Common Files") returned -1 [0086.400] lstrcmpiW (lpString1="windows", lpString2="Common Files") returned 1 [0086.400] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.400] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.400] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Common Files" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files") returned="\\\\?\\C:\\Program Files\\Common Files" [0086.400] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0086.400] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d40048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.401] CloseHandle (hObject=0x31c) returned 1 [0086.401] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.401] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.401] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.401] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\How To Restore Files.hta" [0086.401] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\How To Restore Files.hta" (normalized: "c:\\program files\\how to restore files.hta")) returned 0xffffffff [0086.401] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\How To Restore Files.hta" (normalized: "c:\\program files\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0086.401] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x628fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x628fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.402] CloseHandle (hObject=0x31c) returned 1 [0086.403] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.403] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0086.403] lstrlenW (lpString="desktop.ini") returned 11 [0086.403] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.403] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.403] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files\\desktop.ini") returned="\\\\?\\C:\\Program Files\\desktop.ini" [0086.403] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files\\desktop.ini") returned="\\\\?\\C:\\Program Files\\desktop.ini" [0086.403] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0086.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0086.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0086.404] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x32c [0086.404] CryptAcquireContextA (in: phProv=0x628fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x628fce4*=0x5d11c8) returned 1 [0086.405] CryptGenKey (in: hProv=0x5d11c8, Algid=0x6610, dwFlags=0x1, phKey=0x628fce0 | out: phKey=0x628fce0*=0x5c85d0) returned 1 [0086.405] CryptExportKey (in: hKey=0x5c85d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x628fbdc, pdwDataLen=0x628fcdc | out: pbData=0x628fbdc*, pdwDataLen=0x628fcdc*=0x2c) returned 1 [0086.405] MapViewOfFile (hFileMappingObject=0x32c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x2f80000 [0086.422] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x628fbdc*, pdwDataLen=0x628fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x628fbdc*, pdwDataLen=0x628fcf0*=0x100) returned 1 [0086.422] CryptEncrypt (in: hKey=0x5c85d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2f80000*, pdwDataLen=0x628fcdc*=0xa0, dwBufLen=0xa0 | out: pbData=0x2f80000*, pdwDataLen=0x628fcdc*=0xa0) returned 1 [0086.422] UnmapViewOfFile (lpBaseAddress=0x2f80000) returned 1 [0086.422] CloseHandle (hObject=0x32c) returned 1 [0086.422] CryptDestroyKey (hKey=0x5c85d0) returned 1 [0086.422] CryptReleaseContext (hProv=0x5d11c8, dwFlags=0x0) returned 1 [0086.422] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.422] WriteFile (in: hFile=0x31c, lpBuffer=0x628fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x628fcf0, lpOverlapped=0x0 | out: lpBuffer=0x628fbdc*, lpNumberOfBytesWritten=0x628fcf0*=0x100, lpOverlapped=0x0) returned 1 [0086.423] WriteFile (in: hFile=0x31c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x628fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x628fcf0*=0x500, lpOverlapped=0x0) returned 1 [0086.597] CloseHandle (hObject=0x31c) returned 1 [0086.603] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0086.604] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.604] lstrcmpW (lpString1=".", lpString2="Internet Explorer") returned -1 [0086.604] lstrcmpW (lpString1="..", lpString2="Internet Explorer") returned -1 [0086.604] lstrcmpiW (lpString1="windows", lpString2="Internet Explorer") returned 1 [0086.604] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.604] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.604] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Internet Explorer" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer") returned="\\\\?\\C:\\Program Files\\Internet Explorer" [0086.605] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0086.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a282c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.605] CloseHandle (hObject=0x31c) returned 1 [0086.605] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.605] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0086.605] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0086.605] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0086.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.607] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\Program Files\\Java") returned="\\\\?\\C:\\Program Files\\Java" [0086.608] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\*.*" [0086.608] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a984c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.608] CloseHandle (hObject=0x31c) returned 1 [0086.608] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.608] lstrcmpW (lpString1=".", lpString2="Microsoft Office") returned -1 [0086.608] lstrcmpW (lpString1="..", lpString2="Microsoft Office") returned -1 [0086.608] lstrcmpiW (lpString1="windows", lpString2="Microsoft Office") returned 1 [0086.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.609] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.609] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Microsoft Office" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office") returned="\\\\?\\C:\\Program Files\\Microsoft Office" [0086.609] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0086.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ab0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.610] CloseHandle (hObject=0x31c) returned 1 [0086.610] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.610] lstrcmpW (lpString1=".", lpString2="Microsoft Office 15") returned -1 [0086.610] lstrcmpW (lpString1="..", lpString2="Microsoft Office 15") returned -1 [0086.610] lstrcmpiW (lpString1="windows", lpString2="Microsoft Office 15") returned 1 [0086.614] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.614] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Microsoft Office 15" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15" [0086.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*" [0086.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c30118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.615] CloseHandle (hObject=0x31c) returned 1 [0086.615] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.615] lstrcmpW (lpString1=".", lpString2="MSBuild") returned -1 [0086.615] lstrcmpW (lpString1="..", lpString2="MSBuild") returned -1 [0086.615] lstrcmpiW (lpString1="windows", lpString2="MSBuild") returned 1 [0086.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.617] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="MSBuild" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild") returned="\\\\?\\C:\\Program Files\\MSBuild" [0086.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\*.*" [0086.617] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c48180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.618] CloseHandle (hObject=0x31c) returned 1 [0086.618] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.618] lstrcmpW (lpString1=".", lpString2="Reference Assemblies") returned -1 [0086.618] lstrcmpW (lpString1="..", lpString2="Reference Assemblies") returned -1 [0086.618] lstrcmpiW (lpString1="windows", lpString2="Reference Assemblies") returned 1 [0086.620] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.620] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.620] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Reference Assemblies" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies") returned="\\\\?\\C:\\Program Files\\Reference Assemblies" [0086.620] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" [0086.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c601e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.621] CloseHandle (hObject=0x31c) returned 1 [0086.621] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.621] lstrcmpW (lpString1=".", lpString2="Uninstall Information") returned -1 [0086.621] lstrcmpW (lpString1="..", lpString2="Uninstall Information") returned -1 [0086.621] lstrcmpiW (lpString1="windows", lpString2="Uninstall Information") returned 1 [0086.623] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.623] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.623] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Uninstall Information" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information") returned="\\\\?\\C:\\Program Files\\Uninstall Information" [0086.623] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" [0086.624] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c78250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.624] CloseHandle (hObject=0x31c) returned 1 [0086.625] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.625] lstrcmpW (lpString1=".", lpString2="Windows Defender") returned -1 [0086.625] lstrcmpW (lpString1="..", lpString2="Windows Defender") returned -1 [0086.625] lstrcmpiW (lpString1="windows", lpString2="Windows Defender") returned -1 [0086.629] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0086.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0086.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Defender" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender") returned="\\\\?\\C:\\Program Files\\Windows Defender" [0086.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0086.629] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b206d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0086.630] CloseHandle (hObject=0x31c) returned 1 [0086.630] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0086.630] lstrcmpW (lpString1=".", lpString2="Windows Journal") returned -1 [0086.630] lstrcmpW (lpString1="..", lpString2="Windows Journal") returned -1 [0086.630] lstrcmpiW (lpString1="windows", lpString2="Windows Journal") returned -1 [0087.215] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.215] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.215] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Journal" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal") returned="\\\\?\\C:\\Program Files\\Windows Journal" [0087.215] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0087.215] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b38740, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.216] CloseHandle (hObject=0x318) returned 1 [0087.216] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.216] lstrcmpW (lpString1=".", lpString2="Windows Mail") returned -1 [0087.216] lstrcmpW (lpString1="..", lpString2="Windows Mail") returned -1 [0087.216] lstrcmpiW (lpString1="windows", lpString2="Windows Mail") returned -1 [0087.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.217] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Mail" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail") returned="\\\\?\\C:\\Program Files\\Windows Mail" [0087.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0087.218] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ef0798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.219] CloseHandle (hObject=0x318) returned 1 [0087.219] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.219] lstrcmpW (lpString1=".", lpString2="Windows Media Player") returned -1 [0087.219] lstrcmpW (lpString1="..", lpString2="Windows Media Player") returned -1 [0087.219] lstrcmpiW (lpString1="windows", lpString2="Windows Media Player") returned -1 [0087.222] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.222] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Media Player" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player") returned="\\\\?\\C:\\Program Files\\Windows Media Player" [0087.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0087.223] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x64eec0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.223] CloseHandle (hObject=0x318) returned 1 [0087.224] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.224] lstrcmpW (lpString1=".", lpString2="Windows Multimedia Platform") returned -1 [0087.224] lstrcmpW (lpString1="..", lpString2="Windows Multimedia Platform") returned -1 [0087.224] lstrcmpiW (lpString1="windows", lpString2="Windows Multimedia Platform") returned -1 [0087.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Multimedia Platform" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform" [0087.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" [0087.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d580b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.225] CloseHandle (hObject=0x318) returned 1 [0087.225] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.225] lstrcmpW (lpString1=".", lpString2="Windows NT") returned -1 [0087.225] lstrcmpW (lpString1="..", lpString2="Windows NT") returned -1 [0087.225] lstrcmpiW (lpString1="windows", lpString2="Windows NT") returned -1 [0087.227] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.227] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.227] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows NT" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT") returned="\\\\?\\C:\\Program Files\\Windows NT" [0087.227] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\*.*" [0087.227] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a40328, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.228] CloseHandle (hObject=0x318) returned 1 [0087.228] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.228] lstrcmpW (lpString1=".", lpString2="Windows Photo Viewer") returned -1 [0087.228] lstrcmpW (lpString1="..", lpString2="Windows Photo Viewer") returned -1 [0087.228] lstrcmpiW (lpString1="windows", lpString2="Windows Photo Viewer") returned -1 [0087.230] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.230] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.230] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Photo Viewer" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer" [0087.230] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0087.230] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ac8590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.231] CloseHandle (hObject=0x318) returned 1 [0087.231] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.231] lstrcmpW (lpString1=".", lpString2="Windows Portable Devices") returned -1 [0087.232] lstrcmpW (lpString1="..", lpString2="Windows Portable Devices") returned -1 [0087.232] lstrcmpiW (lpString1="windows", lpString2="Windows Portable Devices") returned -1 [0087.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.234] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Portable Devices" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices" [0087.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" [0087.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ae05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.235] CloseHandle (hObject=0x318) returned 1 [0087.235] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.235] lstrcmpW (lpString1=".", lpString2="Windows Sidebar") returned -1 [0087.235] lstrcmpW (lpString1="..", lpString2="Windows Sidebar") returned -1 [0087.235] lstrcmpiW (lpString1="windows", lpString2="Windows Sidebar") returned -1 [0087.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.236] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Sidebar" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar") returned="\\\\?\\C:\\Program Files\\Windows Sidebar" [0087.237] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0087.237] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5af8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.237] CloseHandle (hObject=0x318) returned 1 [0087.237] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.237] lstrcmpW (lpString1=".", lpString2="WindowsApps") returned -1 [0087.237] lstrcmpW (lpString1="..", lpString2="WindowsApps") returned -1 [0087.238] lstrcmpiW (lpString1="windows", lpString2="WindowsApps") returned -1 [0087.239] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.239] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="WindowsApps" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps") returned="\\\\?\\C:\\Program Files\\WindowsApps" [0087.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0087.240] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e48070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.240] CloseHandle (hObject=0x318) returned 1 [0087.240] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 1 [0087.241] lstrcmpW (lpString1=".", lpString2="WindowsPowerShell") returned -1 [0087.241] lstrcmpW (lpString1="..", lpString2="WindowsPowerShell") returned -1 [0087.241] lstrcmpiW (lpString1="windows", lpString2="WindowsPowerShell") returned -1 [0087.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0087.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0087.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="WindowsPowerShell" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell" [0087.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*" [0087.243] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e600d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0087.243] CloseHandle (hObject=0x318) returned 1 [0087.243] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x628fd28 | out: lpFindFileData=0x628fd28) returned 0 [0087.244] FindClose (in: hFindFile=0x5c86d0 | out: hFindFile=0x5c86d0) returned 1 Thread: id = 52 os_tid = 0xde4 [0086.431] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\*.*", lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 0x5c8710 [0086.431] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.431] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0086.431] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.431] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.431] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0086.431] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0086.432] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0086.432] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0086.434] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0086.434] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0086.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe") returned="\\\\?\\C:\\Program Files (x86)\\Adobe" [0086.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" [0086.434] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d78120, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0086.435] CloseHandle (hObject=0x30c) returned 1 [0086.435] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0086.435] lstrcmpW (lpString1=".", lpString2="Common Files") returned -1 [0086.435] lstrcmpW (lpString1="..", lpString2="Common Files") returned -1 [0086.435] lstrcmpiW (lpString1="windows", lpString2="Common Files") returned 1 [0086.437] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0086.437] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0086.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Common Files" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files") returned="\\\\?\\C:\\Program Files (x86)\\Common Files" [0086.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0086.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5990048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0086.438] CloseHandle (hObject=0x30c) returned 1 [0086.438] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0086.438] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0086.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0086.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\How To Restore Files.hta" [0086.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\how to restore files.hta")) returned 0xffffffff [0086.438] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0086.632] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x63cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x63cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.633] CloseHandle (hObject=0x31c) returned 1 [0086.633] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.635] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0086.635] lstrlenW (lpString="desktop.ini") returned 11 [0086.635] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0086.635] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0086.635] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\desktop.ini") returned="\\\\?\\C:\\Program Files (x86)\\desktop.ini" [0086.635] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\desktop.ini") returned="\\\\?\\C:\\Program Files (x86)\\desktop.ini" [0086.635] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0086.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini" (normalized: "c:\\program files (x86)\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0086.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0086.639] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x33c [0086.639] CryptAcquireContextA (in: phProv=0x63cfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x63cfce4*=0x5d11c8) returned 1 [0086.640] CryptGenKey (in: hProv=0x5d11c8, Algid=0x6610, dwFlags=0x1, phKey=0x63cfce0 | out: phKey=0x63cfce0*=0x5c85d0) returned 1 [0086.640] CryptExportKey (in: hKey=0x5c85d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x63cfbdc, pdwDataLen=0x63cfcdc | out: pbData=0x63cfbdc*, pdwDataLen=0x63cfcdc*=0x2c) returned 1 [0086.640] MapViewOfFile (hFileMappingObject=0x33c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x4e40000 [0087.290] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x63cfbdc*, pdwDataLen=0x63cfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x63cfbdc*, pdwDataLen=0x63cfcf0*=0x100) returned 1 [0087.291] CryptEncrypt (in: hKey=0x5c85d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4e40000*, pdwDataLen=0x63cfcdc*=0xa0, dwBufLen=0xa0 | out: pbData=0x4e40000*, pdwDataLen=0x63cfcdc*=0xa0) returned 1 [0087.291] UnmapViewOfFile (lpBaseAddress=0x4e40000) returned 1 [0088.009] CloseHandle (hObject=0x33c) returned 1 [0088.010] CryptDestroyKey (hKey=0x5c85d0) returned 1 [0088.010] CryptReleaseContext (hProv=0x5d11c8, dwFlags=0x0) returned 1 [0088.010] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.010] WriteFile (in: hFile=0x31c, lpBuffer=0x63cfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x63cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x63cfbdc*, lpNumberOfBytesWritten=0x63cfcf0*=0x100, lpOverlapped=0x0) returned 1 [0088.010] WriteFile (in: hFile=0x31c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x63cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x63cfcf0*=0x500, lpOverlapped=0x0) returned 1 [0088.755] CloseHandle (hObject=0x31c) returned 1 [0088.757] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0088.757] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.757] lstrcmpW (lpString1=".", lpString2="Google") returned -1 [0088.757] lstrcmpW (lpString1="..", lpString2="Google") returned -1 [0088.757] lstrcmpiW (lpString1="windows", lpString2="Google") returned 1 [0088.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.909] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Google" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google") returned="\\\\?\\C:\\Program Files (x86)\\Google" [0088.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" [0088.909] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5af8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.910] CloseHandle (hObject=0x370) returned 1 [0088.910] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.910] lstrcmpW (lpString1=".", lpString2="Internet Explorer") returned -1 [0088.910] lstrcmpW (lpString1="..", lpString2="Internet Explorer") returned -1 [0088.910] lstrcmpiW (lpString1="windows", lpString2="Internet Explorer") returned 1 [0088.913] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.913] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.913] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Internet Explorer" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer" [0088.913] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0088.913] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cd9368, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.914] CloseHandle (hObject=0x370) returned 1 [0088.914] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.914] lstrcmpW (lpString1=".", lpString2="Microsoft.NET") returned -1 [0088.914] lstrcmpW (lpString1="..", lpString2="Microsoft.NET") returned -1 [0088.914] lstrcmpiW (lpString1="windows", lpString2="Microsoft.NET") returned 1 [0088.916] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.916] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.916] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Microsoft.NET" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET" [0088.916] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" [0088.916] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.916] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cf13d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.917] CloseHandle (hObject=0x370) returned 1 [0088.917] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.917] lstrcmpW (lpString1=".", lpString2="Mozilla Firefox") returned -1 [0088.917] lstrcmpW (lpString1="..", lpString2="Mozilla Firefox") returned -1 [0088.917] lstrcmpiW (lpString1="windows", lpString2="Mozilla Firefox") returned 1 [0088.918] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.918] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.918] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Mozilla Firefox" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox" [0088.918] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0088.918] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d09438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.922] CloseHandle (hObject=0x370) returned 1 [0088.922] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.922] lstrcmpW (lpString1=".", lpString2="Mozilla Maintenance Service") returned -1 [0088.922] lstrcmpW (lpString1="..", lpString2="Mozilla Maintenance Service") returned -1 [0088.922] lstrcmpiW (lpString1="windows", lpString2="Mozilla Maintenance Service") returned 1 [0088.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.924] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.924] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Mozilla Maintenance Service" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service" [0088.924] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0088.924] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.925] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d214a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.926] CloseHandle (hObject=0x370) returned 1 [0088.926] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.926] lstrcmpW (lpString1=".", lpString2="MSBuild") returned -1 [0088.926] lstrcmpW (lpString1="..", lpString2="MSBuild") returned -1 [0088.926] lstrcmpiW (lpString1="windows", lpString2="MSBuild") returned 1 [0088.928] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.928] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.928] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="MSBuild" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild" [0088.928] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" [0088.928] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.929] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d39508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.929] CloseHandle (hObject=0x370) returned 1 [0088.929] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.929] lstrcmpW (lpString1=".", lpString2="Reference Assemblies") returned -1 [0088.929] lstrcmpW (lpString1="..", lpString2="Reference Assemblies") returned -1 [0088.929] lstrcmpiW (lpString1="windows", lpString2="Reference Assemblies") returned 1 [0088.932] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.932] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.932] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Reference Assemblies" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies" [0088.932] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" [0088.932] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d51570, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.933] CloseHandle (hObject=0x370) returned 1 [0088.933] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.933] lstrcmpW (lpString1=".", lpString2="Windows Defender") returned -1 [0088.933] lstrcmpW (lpString1="..", lpString2="Windows Defender") returned -1 [0088.933] lstrcmpiW (lpString1="windows", lpString2="Windows Defender") returned -1 [0088.938] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.939] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.939] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Defender" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender" [0088.939] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0088.939] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d695d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.939] CloseHandle (hObject=0x370) returned 1 [0088.939] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.939] lstrcmpW (lpString1=".", lpString2="Windows Mail") returned -1 [0088.940] lstrcmpW (lpString1="..", lpString2="Windows Mail") returned -1 [0088.940] lstrcmpiW (lpString1="windows", lpString2="Windows Mail") returned -1 [0088.942] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.942] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.942] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Mail" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail" [0088.942] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0088.942] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d81640, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.943] CloseHandle (hObject=0x370) returned 1 [0088.943] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.943] lstrcmpW (lpString1=".", lpString2="Windows Media Player") returned -1 [0088.943] lstrcmpW (lpString1="..", lpString2="Windows Media Player") returned -1 [0088.943] lstrcmpiW (lpString1="windows", lpString2="Windows Media Player") returned -1 [0088.945] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.945] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.945] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Media Player" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player" [0088.945] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0088.945] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.945] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d996a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.946] CloseHandle (hObject=0x370) returned 1 [0088.946] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.946] lstrcmpW (lpString1=".", lpString2="Windows Multimedia Platform") returned -1 [0088.946] lstrcmpW (lpString1="..", lpString2="Windows Multimedia Platform") returned -1 [0088.946] lstrcmpiW (lpString1="windows", lpString2="Windows Multimedia Platform") returned -1 [0088.948] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.948] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.948] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Multimedia Platform" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform" [0088.948] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" [0088.948] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.948] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8db1710, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.949] CloseHandle (hObject=0x370) returned 1 [0088.949] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.949] lstrcmpW (lpString1=".", lpString2="Windows NT") returned -1 [0088.949] lstrcmpW (lpString1="..", lpString2="Windows NT") returned -1 [0088.949] lstrcmpiW (lpString1="windows", lpString2="Windows NT") returned -1 [0088.952] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.952] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows NT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT" [0088.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" [0088.952] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8dc9778, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.953] CloseHandle (hObject=0x370) returned 1 [0088.953] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.953] lstrcmpW (lpString1=".", lpString2="Windows Photo Viewer") returned -1 [0088.953] lstrcmpW (lpString1="..", lpString2="Windows Photo Viewer") returned -1 [0088.953] lstrcmpiW (lpString1="windows", lpString2="Windows Photo Viewer") returned -1 [0088.955] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.955] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.955] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Photo Viewer" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer" [0088.955] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0088.955] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.955] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8de17e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.956] CloseHandle (hObject=0x370) returned 1 [0088.956] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.956] lstrcmpW (lpString1=".", lpString2="Windows Portable Devices") returned -1 [0088.956] lstrcmpW (lpString1="..", lpString2="Windows Portable Devices") returned -1 [0088.956] lstrcmpiW (lpString1="windows", lpString2="Windows Portable Devices") returned -1 [0088.958] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.958] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.958] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Portable Devices" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices" [0088.959] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0088.959] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.959] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8df9848, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.959] CloseHandle (hObject=0x370) returned 1 [0088.959] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.959] lstrcmpW (lpString1=".", lpString2="Windows Sidebar") returned -1 [0088.960] lstrcmpW (lpString1="..", lpString2="Windows Sidebar") returned -1 [0088.960] lstrcmpiW (lpString1="windows", lpString2="Windows Sidebar") returned -1 [0088.962] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.962] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.962] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Sidebar" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar" [0088.962] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0088.962] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.962] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e118b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.963] CloseHandle (hObject=0x370) returned 1 [0088.963] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 1 [0088.963] lstrcmpW (lpString1=".", lpString2="WindowsPowerShell") returned -1 [0088.963] lstrcmpW (lpString1="..", lpString2="WindowsPowerShell") returned -1 [0088.963] lstrcmpiW (lpString1="windows", lpString2="WindowsPowerShell") returned -1 [0088.965] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0088.965] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0088.965] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="WindowsPowerShell" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell" [0088.965] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*" [0088.965] GlobalMemoryStatus (in: lpBuffer=0x63cfd08 | out: lpBuffer=0x63cfd08) [0088.966] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e29918, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0088.970] CloseHandle (hObject=0x370) returned 1 [0088.970] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x63cfd28 | out: lpFindFileData=0x63cfd28) returned 0 [0088.970] FindClose (in: hFindFile=0x5c8710 | out: hFindFile=0x5c8710) returned 1 Thread: id = 53 os_tid = 0xde0 [0086.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*.*", lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 0x5c8750 [0086.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.440] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.440] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.440] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.440] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.440] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0086.440] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0086.440] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0086.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.441] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.442] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe") returned="\\\\?\\C:\\ProgramData\\Adobe" [0086.442] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\*.*" [0086.442] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.442] CloseHandle (hObject=0x308) returned 1 [0086.442] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.442] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0086.442] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0086.442] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0086.443] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.443] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.443] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data") returned="\\\\?\\C:\\ProgramData\\Application Data" [0086.443] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data\\*.*") returned="\\\\?\\C:\\ProgramData\\Application Data\\*.*" [0086.443] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.444] CloseHandle (hObject=0x308) returned 1 [0086.444] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.444] lstrcmpW (lpString1=".", lpString2="Comms") returned -1 [0086.444] lstrcmpW (lpString1="..", lpString2="Comms") returned -1 [0086.444] lstrcmpiW (lpString1="windows", lpString2="Comms") returned 1 [0086.447] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.447] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.447] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Comms" | out: lpString1="\\\\?\\C:\\ProgramData\\Comms") returned="\\\\?\\C:\\ProgramData\\Comms" [0086.447] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Comms", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Comms\\*.*") returned="\\\\?\\C:\\ProgramData\\Comms\\*.*" [0086.447] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ded18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.448] CloseHandle (hObject=0x308) returned 1 [0086.448] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.448] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0086.448] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0086.448] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0086.449] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.449] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.449] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop") returned="\\\\?\\C:\\ProgramData\\Desktop" [0086.449] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop\\*.*") returned="\\\\?\\C:\\ProgramData\\Desktop\\*.*" [0086.449] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5f6d80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.450] CloseHandle (hObject=0x308) returned 1 [0086.450] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.450] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0086.450] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0086.450] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0086.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.451] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.451] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents") returned="\\\\?\\C:\\ProgramData\\Documents" [0086.452] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents\\*.*") returned="\\\\?\\C:\\ProgramData\\Documents\\*.*" [0086.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x60ede8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.452] CloseHandle (hObject=0x308) returned 1 [0086.452] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.452] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0086.452] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0086.452] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0086.456] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.456] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.456] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft") returned="\\\\?\\C:\\ProgramData\\Microsoft" [0086.456] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0086.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2ca8008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.456] CloseHandle (hObject=0x308) returned 1 [0086.456] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.457] lstrcmpW (lpString1=".", lpString2="Microsoft OneDrive") returned -1 [0086.457] lstrcmpW (lpString1="..", lpString2="Microsoft OneDrive") returned -1 [0086.457] lstrcmpiW (lpString1="windows", lpString2="Microsoft OneDrive") returned 1 [0086.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.458] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.458] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Microsoft OneDrive" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive" [0086.458] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*.*" [0086.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2cc0070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.458] CloseHandle (hObject=0x308) returned 1 [0086.459] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.459] lstrcmpW (lpString1=".", lpString2="Oracle") returned -1 [0086.459] lstrcmpW (lpString1="..", lpString2="Oracle") returned -1 [0086.459] lstrcmpiW (lpString1="windows", lpString2="Oracle") returned 1 [0086.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.460] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.460] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Oracle" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle") returned="\\\\?\\C:\\ProgramData\\Oracle" [0086.460] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\*.*" [0086.460] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2cd80d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.460] CloseHandle (hObject=0x308) returned 1 [0086.460] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.460] lstrcmpW (lpString1=".", lpString2="Package Cache") returned -1 [0086.460] lstrcmpW (lpString1="..", lpString2="Package Cache") returned -1 [0086.460] lstrcmpiW (lpString1="windows", lpString2="Package Cache") returned 1 [0086.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.462] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.462] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Package Cache" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache") returned="\\\\?\\C:\\ProgramData\\Package Cache" [0086.462] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0086.462] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d90188, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.463] CloseHandle (hObject=0x308) returned 1 [0086.463] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.463] lstrcmpW (lpString1=".", lpString2="regid.1991-06.com.microsoft") returned -1 [0086.463] lstrcmpW (lpString1="..", lpString2="regid.1991-06.com.microsoft") returned -1 [0086.463] lstrcmpiW (lpString1="windows", lpString2="regid.1991-06.com.microsoft") returned 1 [0086.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.464] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.464] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="regid.1991-06.com.microsoft" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft" [0086.465] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0086.465] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3da81f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.465] CloseHandle (hObject=0x308) returned 1 [0086.465] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.465] lstrcmpW (lpString1=".", lpString2="SoftwareDistribution") returned -1 [0086.465] lstrcmpW (lpString1="..", lpString2="SoftwareDistribution") returned -1 [0086.465] lstrcmpiW (lpString1="windows", lpString2="SoftwareDistribution") returned 1 [0086.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.467] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.467] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="SoftwareDistribution" | out: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution") returned="\\\\?\\C:\\ProgramData\\SoftwareDistribution" [0086.467] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\*.*") returned="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\*.*" [0086.467] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3dc0258, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.468] CloseHandle (hObject=0x308) returned 1 [0086.468] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.468] lstrcmpW (lpString1=".", lpString2="Start Menu") returned -1 [0086.468] lstrcmpW (lpString1="..", lpString2="Start Menu") returned -1 [0086.468] lstrcmpiW (lpString1="windows", lpString2="Start Menu") returned 1 [0086.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.470] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.470] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Start Menu" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu") returned="\\\\?\\C:\\ProgramData\\Start Menu" [0086.470] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Start Menu", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu\\*.*") returned="\\\\?\\C:\\ProgramData\\Start Menu\\*.*" [0086.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3dd82c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.472] CloseHandle (hObject=0x308) returned 1 [0086.472] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.472] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0086.472] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0086.472] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0086.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.474] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.474] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates") returned="\\\\?\\C:\\ProgramData\\Templates" [0086.474] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates\\*.*") returned="\\\\?\\C:\\ProgramData\\Templates\\*.*" [0086.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3df0328, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.474] CloseHandle (hObject=0x308) returned 1 [0086.475] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.475] lstrcmpW (lpString1=".", lpString2="USOPrivate") returned -1 [0086.475] lstrcmpW (lpString1="..", lpString2="USOPrivate") returned -1 [0086.475] lstrcmpiW (lpString1="windows", lpString2="USOPrivate") returned 1 [0086.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.477] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.477] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="USOPrivate" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate") returned="\\\\?\\C:\\ProgramData\\USOPrivate" [0086.477] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\*.*") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\*.*" [0086.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c00048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.478] CloseHandle (hObject=0x308) returned 1 [0086.478] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0086.478] lstrcmpW (lpString1=".", lpString2="USOShared") returned -1 [0086.478] lstrcmpW (lpString1="..", lpString2="USOShared") returned -1 [0086.478] lstrcmpiW (lpString1="windows", lpString2="USOShared") returned 1 [0086.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0086.480] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0086.480] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="USOShared" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared") returned="\\\\?\\C:\\ProgramData\\USOShared" [0086.480] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\*.*" [0086.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c180b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.480] CloseHandle (hObject=0x308) returned 1 [0086.480] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 0 [0086.480] FindClose (in: hFindFile=0x5c8750 | out: hFindFile=0x5c8750) returned 1 Thread: id = 54 os_tid = 0xdd0 [0086.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\*.*", lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 0x5c8750 [0086.481] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.481] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0086.481] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.481] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0086.481] lstrcmpW (lpString1=".", lpString2="WindowsRE") returned -1 [0086.481] lstrcmpW (lpString1="..", lpString2="WindowsRE") returned -1 [0086.481] lstrcmpiW (lpString1="windows", lpString2="WindowsRE") returned -1 [0086.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\*.*") returned="\\\\?\\C:\\Recovery\\*.*" [0086.481] lstrlenW (lpString="\\\\?\\C:\\Recovery\\*.*") returned 19 [0086.481] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\", lpString2="WindowsRE" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE") returned="\\\\?\\C:\\Recovery\\WindowsRE" [0086.482] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\WindowsRE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" [0086.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a08250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0086.482] CloseHandle (hObject=0x308) returned 1 [0086.482] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 0 [0086.482] FindClose (in: hFindFile=0x5c8750 | out: hFindFile=0x5c8750) returned 1 Thread: id = 55 os_tid = 0xdd8 [0086.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sl-SI\\*.*", lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 0x5c89d0 [0086.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.493] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 1 [0086.493] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.493] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 1 [0086.494] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Boot\\sl-SI\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI\\*.*") returned="\\\\?\\C:\\Boot\\sl-SI\\*.*" [0086.494] lstrlenW (lpString="\\\\?\\C:\\Boot\\sl-SI\\*.*") returned 21 [0086.494] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sl-SI\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\sl-SI\\How To Restore Files.hta" [0086.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\How To Restore Files.hta" (normalized: "c:\\boot\\sl-si\\how to restore files.hta")) returned 0xffffffff [0086.494] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\How To Restore Files.hta" (normalized: "c:\\boot\\sl-si\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0086.495] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x678fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x678fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.496] CloseHandle (hObject=0x308) returned 1 [0086.497] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.498] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.498] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sl-SI\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI\\*.*") returned="\\\\?\\C:\\Boot\\sl-SI\\*.*" [0086.498] lstrlenW (lpString="\\\\?\\C:\\Boot\\sl-SI\\*.*") returned 21 [0086.498] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sl-SI\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" [0086.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" [0086.498] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.499] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 0 [0086.499] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 56 os_tid = 0xddc [0086.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*", lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 0x5c8a50 [0086.534] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.534] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0086.534] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.534] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.534] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0086.534] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" [0086.534] lstrlenW (lpString="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned 26 [0086.534] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\How To Restore Files.hta" [0086.534] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\How To Restore Files.hta" (normalized: "c:\\boot\\sr-latn-cs\\how to restore files.hta")) returned 0xffffffff [0086.534] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\How To Restore Files.hta" (normalized: "c:\\boot\\sr-latn-cs\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0086.855] WriteFile (in: hFile=0x2a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x68cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x68cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.862] CloseHandle (hObject=0x2a8) returned 1 [0086.911] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.911] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.911] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.911] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" [0086.911] lstrlenW (lpString="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned 26 [0086.911] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" [0086.911] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" [0086.911] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.912] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0086.912] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" [0086.912] lstrlenW (lpString="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned 26 [0086.912] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\How To Restore Files.hta" [0086.912] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\How To Restore Files.hta" (normalized: "c:\\boot\\sr-latn-cs\\how to restore files.hta")) returned 0x1 [0086.912] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.912] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.912] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*" [0086.912] lstrlenW (lpString="\\\\?\\C:\\Boot\\sr-Latn-CS\\*.*") returned 26 [0086.912] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" [0086.912] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" [0086.912] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.913] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 0 [0086.913] FindClose (in: hFindFile=0x5c8a50 | out: hFindFile=0x5c8a50) returned 1 Thread: id = 57 os_tid = 0xdec [0086.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*", lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 0x5c87d0 [0086.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.529] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0086.529] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.529] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0086.530] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*") returned="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*" [0086.530] lstrlenW (lpString="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*") returned 26 [0086.530] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\sr-Latn-RS\\How To Restore Files.hta" [0086.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\How To Restore Files.hta" (normalized: "c:\\boot\\sr-latn-rs\\how to restore files.hta")) returned 0xffffffff [0086.530] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\How To Restore Files.hta" (normalized: "c:\\boot\\sr-latn-rs\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0086.530] WriteFile (in: hFile=0x304, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6a0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6a0fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.531] CloseHandle (hObject=0x304) returned 1 [0086.532] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.532] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.532] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.532] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*") returned="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*" [0086.532] lstrlenW (lpString="\\\\?\\C:\\Boot\\sr-Latn-RS\\*.*") returned 26 [0086.532] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" [0086.532] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" [0086.532] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.533] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 0 [0086.533] FindClose (in: hFindFile=0x5c87d0 | out: hFindFile=0x5c87d0) returned 1 Thread: id = 58 os_tid = 0xdd4 [0086.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 0x5c89d0 [0086.527] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.527] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 1 [0086.527] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.527] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.527] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 1 [0086.528] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Boot\\sv-SE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned="\\\\?\\C:\\Boot\\sv-SE\\*.*" [0086.528] lstrlenW (lpString="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned 21 [0086.528] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\sv-SE\\How To Restore Files.hta" [0086.528] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\How To Restore Files.hta" (normalized: "c:\\boot\\sv-se\\how to restore files.hta")) returned 0xffffffff [0086.528] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\How To Restore Files.hta" (normalized: "c:\\boot\\sv-se\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0086.856] WriteFile (in: hFile=0x34c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6b4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6b4fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.861] CloseHandle (hObject=0x34c) returned 1 [0086.914] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.915] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.915] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.915] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sv-SE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned="\\\\?\\C:\\Boot\\sv-SE\\*.*" [0086.915] lstrlenW (lpString="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned 21 [0086.915] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" [0086.915] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" [0086.915] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.915] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 1 [0086.916] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\sv-SE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned="\\\\?\\C:\\Boot\\sv-SE\\*.*" [0086.916] lstrlenW (lpString="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned 21 [0086.916] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\sv-SE\\How To Restore Files.hta" [0086.916] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\How To Restore Files.hta" (normalized: "c:\\boot\\sv-se\\how to restore files.hta")) returned 0x1 [0086.916] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.916] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.916] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sv-SE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned="\\\\?\\C:\\Boot\\sv-SE\\*.*" [0086.916] lstrlenW (lpString="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned 21 [0086.916] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" [0086.916] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" [0086.916] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.916] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.916] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 0 [0086.917] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 59 os_tid = 0xdcc [0086.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 0x5c89d0 [0086.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.509] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0086.509] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.510] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0086.510] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Boot\\tr-TR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned="\\\\?\\C:\\Boot\\tr-TR\\*.*" [0086.510] lstrlenW (lpString="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned 21 [0086.510] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\tr-TR\\How To Restore Files.hta" [0086.510] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\How To Restore Files.hta" (normalized: "c:\\boot\\tr-tr\\how to restore files.hta")) returned 0xffffffff [0086.510] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\How To Restore Files.hta" (normalized: "c:\\boot\\tr-tr\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0086.515] WriteFile (in: hFile=0x2e4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6c8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6c8fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.516] CloseHandle (hObject=0x2e4) returned 1 [0086.517] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.518] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.518] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.518] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\tr-TR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned="\\\\?\\C:\\Boot\\tr-TR\\*.*" [0086.518] lstrlenW (lpString="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned 21 [0086.518] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" [0086.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" [0086.519] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.519] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0086.519] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Boot\\tr-TR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned="\\\\?\\C:\\Boot\\tr-TR\\*.*" [0086.519] lstrlenW (lpString="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned 21 [0086.519] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\tr-TR\\How To Restore Files.hta" [0086.519] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\How To Restore Files.hta" (normalized: "c:\\boot\\tr-tr\\how to restore files.hta")) returned 0x1 [0086.519] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.519] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\tr-TR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned="\\\\?\\C:\\Boot\\tr-TR\\*.*" [0086.519] lstrlenW (lpString="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned 21 [0086.520] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" [0086.520] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" [0086.520] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.520] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 0 [0086.520] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 60 os_tid = 0xe20 [0086.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\uk-UA\\*.*", lpFindFileData=0x6dcfd28 | out: lpFindFileData=0x6dcfd28) returned 0x5c89d0 [0086.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.504] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6dcfd28 | out: lpFindFileData=0x6dcfd28) returned 1 [0086.504] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.504] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6dcfd28 | out: lpFindFileData=0x6dcfd28) returned 1 [0086.505] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Boot\\uk-UA\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA\\*.*") returned="\\\\?\\C:\\Boot\\uk-UA\\*.*" [0086.505] lstrlenW (lpString="\\\\?\\C:\\Boot\\uk-UA\\*.*") returned 21 [0086.505] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\uk-UA\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\uk-UA\\How To Restore Files.hta" [0086.505] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\How To Restore Files.hta" (normalized: "c:\\boot\\uk-ua\\how to restore files.hta")) returned 0xffffffff [0086.505] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\How To Restore Files.hta" (normalized: "c:\\boot\\uk-ua\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0086.506] WriteFile (in: hFile=0x2e4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6dcfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6dcfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.507] CloseHandle (hObject=0x2e4) returned 1 [0086.507] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.508] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.508] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\uk-UA\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA\\*.*") returned="\\\\?\\C:\\Boot\\uk-UA\\*.*" [0086.508] lstrlenW (lpString="\\\\?\\C:\\Boot\\uk-UA\\*.*") returned 21 [0086.508] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\uk-UA\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" [0086.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" [0086.508] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.508] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x6dcfd28 | out: lpFindFileData=0x6dcfd28) returned 0 [0086.508] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 61 os_tid = 0xe00 [0086.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 0x5c8750 [0086.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.500] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0086.500] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.500] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0086.500] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Boot\\zh-CN\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned="\\\\?\\C:\\Boot\\zh-CN\\*.*" [0086.500] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned 21 [0086.500] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\zh-CN\\How To Restore Files.hta" [0086.500] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-cn\\how to restore files.hta")) returned 0xffffffff [0086.500] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-cn\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0086.856] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6f0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6f0fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.859] CloseHandle (hObject=0x354) returned 1 [0086.921] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.922] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.922] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.922] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-CN\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned="\\\\?\\C:\\Boot\\zh-CN\\*.*" [0086.922] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned 21 [0086.922] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" [0086.922] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" [0086.922] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.923] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0086.923] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\zh-CN\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned="\\\\?\\C:\\Boot\\zh-CN\\*.*" [0086.923] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned 21 [0086.923] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\zh-CN\\How To Restore Files.hta" [0086.924] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-cn\\how to restore files.hta")) returned 0x1 [0086.924] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.924] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-CN\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned="\\\\?\\C:\\Boot\\zh-CN\\*.*" [0086.924] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned 21 [0086.924] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" [0086.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" [0086.924] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.924] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 0 [0086.924] FindClose (in: hFindFile=0x5c8750 | out: hFindFile=0x5c8750) returned 1 Thread: id = 62 os_tid = 0x8a4 [0086.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 0x5c8a90 [0086.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.577] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0086.577] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.577] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0086.577] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\zh-HK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned="\\\\?\\C:\\Boot\\zh-HK\\*.*" [0086.577] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned 21 [0086.577] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\zh-HK\\How To Restore Files.hta" [0086.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-hk\\how to restore files.hta")) returned 0xffffffff [0086.577] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-hk\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0086.854] WriteFile (in: hFile=0x320, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x704fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x704fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.869] CloseHandle (hObject=0x320) returned 1 [0086.876] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.876] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.876] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.877] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-HK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned="\\\\?\\C:\\Boot\\zh-HK\\*.*" [0086.877] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned 21 [0086.877] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" [0086.877] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" [0086.877] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.877] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.877] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0086.877] lstrcpyW (in: lpString1=0x3d70118, lpString2="\\\\?\\C:\\Boot\\zh-HK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned="\\\\?\\C:\\Boot\\zh-HK\\*.*" [0086.877] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned 21 [0086.877] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\zh-HK\\How To Restore Files.hta" [0086.877] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-hk\\how to restore files.hta")) returned 0x1 [0086.877] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.877] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.877] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-HK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned="\\\\?\\C:\\Boot\\zh-HK\\*.*" [0086.877] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned 21 [0086.877] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" [0086.877] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" [0086.877] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.878] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 0 [0086.878] FindClose (in: hFindFile=0x5c8a90 | out: hFindFile=0x5c8a90) returned 1 Thread: id = 63 os_tid = 0x618 [0086.584] FindFirstFileW (in: lpFileName="\\\\?\\C:\\System Volume Information\\*.*", lpFindFileData=0x718fd28 | out: lpFindFileData=0x718fd28) returned 0xffffffff Thread: id = 64 os_tid = 0x784 [0086.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*.*", lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 0x5c8c50 [0086.588] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.588] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0086.588] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.588] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.588] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0086.588] lstrcmpW (lpString1=".", lpString2="All Users") returned -1 [0086.588] lstrcmpW (lpString1="..", lpString2="All Users") returned -1 [0086.588] lstrcmpiW (lpString1="windows", lpString2="All Users") returned 1 [0086.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0086.588] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0086.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="All Users" | out: lpString1="\\\\?\\C:\\Users\\All Users") returned="\\\\?\\C:\\Users\\All Users" [0086.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0086.588] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3f08800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0086.589] CloseHandle (hObject=0x33c) returned 1 [0086.589] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0086.589] lstrcmpW (lpString1=".", lpString2="CIiHmnxMn6Ps") returned -1 [0086.589] lstrcmpW (lpString1="..", lpString2="CIiHmnxMn6Ps") returned -1 [0086.589] lstrcmpiW (lpString1="windows", lpString2="CIiHmnxMn6Ps") returned 1 [0086.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0086.589] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0086.589] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="CIiHmnxMn6Ps" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps" [0086.589] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0086.589] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a683f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0086.590] CloseHandle (hObject=0x33c) returned 1 [0086.590] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0086.590] lstrcmpW (lpString1=".", lpString2="Default") returned -1 [0086.590] lstrcmpW (lpString1="..", lpString2="Default") returned -1 [0086.591] lstrcmpiW (lpString1="windows", lpString2="Default") returned 1 [0086.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0086.592] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0086.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="Default" | out: lpString1="\\\\?\\C:\\Users\\Default") returned="\\\\?\\C:\\Users\\Default" [0086.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0086.592] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x636e58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0086.593] CloseHandle (hObject=0x33c) returned 1 [0086.593] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0086.593] lstrcmpW (lpString1=".", lpString2="Default User") returned -1 [0086.593] lstrcmpW (lpString1="..", lpString2="Default User") returned -1 [0086.593] lstrcmpiW (lpString1="windows", lpString2="Default User") returned 1 [0086.593] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0086.593] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0086.593] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="Default User" | out: lpString1="\\\\?\\C:\\Users\\Default User") returned="\\\\?\\C:\\Users\\Default User" [0086.593] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default User", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default User\\*.*") returned="\\\\?\\C:\\Users\\Default User\\*.*" [0086.593] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e30008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0086.594] CloseHandle (hObject=0x33c) returned 1 [0086.594] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0086.594] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0086.594] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0086.594] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\How To Restore Files.hta" [0086.595] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\How To Restore Files.hta" (normalized: "c:\\users\\how to restore files.hta")) returned 0xffffffff [0086.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\How To Restore Files.hta" (normalized: "c:\\users\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0086.834] WriteFile (in: hFile=0x324, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x72cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x72cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.835] CloseHandle (hObject=0x324) returned 1 [0086.835] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.836] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0086.836] lstrlenW (lpString="desktop.ini") returned 11 [0086.836] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0086.836] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0086.836] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\desktop.ini") returned="\\\\?\\C:\\Users\\desktop.ini" [0086.836] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\desktop.ini") returned="\\\\?\\C:\\Users\\desktop.ini" [0086.836] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0086.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0086.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0086.842] CreateFileMappingA (hFile=0x324, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x320 [0086.842] CryptAcquireContextA (in: phProv=0x72cfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x72cfce4*=0x5d18b0) returned 1 [0086.843] CryptGenKey (in: hProv=0x5d18b0, Algid=0x6610, dwFlags=0x1, phKey=0x72cfce0 | out: phKey=0x72cfce0*=0x5c8c90) returned 1 [0086.843] CryptExportKey (in: hKey=0x5c8c90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x72cfbdc, pdwDataLen=0x72cfcdc | out: pbData=0x72cfbdc*, pdwDataLen=0x72cfcdc*=0x2c) returned 1 [0086.843] MapViewOfFile (hFileMappingObject=0x320, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x6650000 [0086.846] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x72cfbdc*, pdwDataLen=0x72cfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x72cfbdc*, pdwDataLen=0x72cfcf0*=0x100) returned 1 [0086.846] CryptEncrypt (in: hKey=0x5c8c90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6650000*, pdwDataLen=0x72cfcdc*=0xa0, dwBufLen=0xa0 | out: pbData=0x6650000*, pdwDataLen=0x72cfcdc*=0xa0) returned 1 [0086.846] UnmapViewOfFile (lpBaseAddress=0x6650000) returned 1 [0086.846] CloseHandle (hObject=0x320) returned 1 [0086.846] CryptDestroyKey (hKey=0x5c8c90) returned 1 [0086.846] CryptReleaseContext (hProv=0x5d18b0, dwFlags=0x0) returned 1 [0086.846] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.846] WriteFile (in: hFile=0x324, lpBuffer=0x72cfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x72cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x72cfbdc*, lpNumberOfBytesWritten=0x72cfcf0*=0x100, lpOverlapped=0x0) returned 1 [0086.847] WriteFile (in: hFile=0x324, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x72cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x72cfcf0*=0x500, lpOverlapped=0x0) returned 1 [0086.871] CloseHandle (hObject=0x324) returned 1 [0086.928] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0086.929] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0086.929] lstrcmpW (lpString1=".", lpString2="Public") returned -1 [0086.929] lstrcmpW (lpString1="..", lpString2="Public") returned -1 [0086.929] lstrcmpiW (lpString1="windows", lpString2="Public") returned 1 [0086.930] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0086.930] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0086.930] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="Public" | out: lpString1="\\\\?\\C:\\Users\\Public") returned="\\\\?\\C:\\Users\\Public" [0086.930] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0086.930] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a80458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x358 [0086.931] CloseHandle (hObject=0x358) returned 1 [0086.931] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 0 [0086.931] FindClose (in: hFindFile=0x5c8c50 | out: hFindFile=0x5c8c50) returned 1 Thread: id = 65 os_tid = 0xe1c [0086.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 0x5c8c90 [0086.869] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.869] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0086.869] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0086.869] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.869] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0086.869] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\zh-TW\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned="\\\\?\\C:\\Boot\\zh-TW\\*.*" [0086.869] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned 21 [0086.869] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\zh-TW\\How To Restore Files.hta" [0086.869] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-tw\\how to restore files.hta")) returned 0xffffffff [0086.869] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-tw\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0086.933] WriteFile (in: hFile=0x2e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x740fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x740fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0086.934] CloseHandle (hObject=0x2e8) returned 1 [0086.934] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0086.935] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootmgr.exe.mui") returned 1 [0086.935] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0086.935] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-TW\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned="\\\\?\\C:\\Boot\\zh-TW\\*.*" [0086.935] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned 21 [0086.935] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" [0086.935] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" [0086.935] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.936] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0086.936] lstrcpyW (in: lpString1=0x5a202b8, lpString2="\\\\?\\C:\\Boot\\zh-TW\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned="\\\\?\\C:\\Boot\\zh-TW\\*.*" [0086.936] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned 21 [0086.936] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\zh-TW\\How To Restore Files.hta" [0086.936] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\How To Restore Files.hta" (normalized: "c:\\boot\\zh-tw\\how to restore files.hta")) returned 0x1 [0086.936] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="memtest.exe.mui") returned -1 [0086.936] lstrlenW (lpString="memtest.exe.mui") returned 15 [0086.936] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-TW\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned="\\\\?\\C:\\Boot\\zh-TW\\*.*" [0086.936] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned 21 [0086.936] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" [0086.936] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" [0086.936] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0086.936] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0086.937] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 0 [0086.937] FindClose (in: hFindFile=0x5c8c90 | out: hFindFile=0x5c8c90) returned 1 Thread: id = 68 os_tid = 0xe48 [0088.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\*.*", lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 0x5c89d0 [0088.260] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.260] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0088.260] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.260] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.260] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0088.260] lstrcmpW (lpString1=".", lpString2="DESIGNER") returned -1 [0088.260] lstrcmpW (lpString1="..", lpString2="DESIGNER") returned -1 [0088.260] lstrcmpiW (lpString1="windows", lpString2="DESIGNER") returned 1 [0088.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0088.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0088.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="DESIGNER" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER" [0088.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" [0088.261] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59d8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.262] CloseHandle (hObject=0x320) returned 1 [0088.262] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0088.262] lstrcmpW (lpString1=".", lpString2="microsoft shared") returned -1 [0088.262] lstrcmpW (lpString1="..", lpString2="microsoft shared") returned -1 [0088.262] lstrcmpiW (lpString1="windows", lpString2="microsoft shared") returned 1 [0088.265] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0088.265] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0088.265] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="microsoft shared" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared" [0088.265] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0088.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e78140, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.266] CloseHandle (hObject=0x320) returned 1 [0088.266] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0088.266] lstrcmpW (lpString1=".", lpString2="Services") returned -1 [0088.266] lstrcmpW (lpString1="..", lpString2="Services") returned -1 [0088.266] lstrcmpiW (lpString1="windows", lpString2="Services") returned 1 [0088.268] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0088.268] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0088.268] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="Services" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services") returned="\\\\?\\C:\\Program Files\\Common Files\\Services" [0088.268] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" [0088.268] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e901a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.269] CloseHandle (hObject=0x320) returned 1 [0088.269] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0088.269] lstrcmpW (lpString1=".", lpString2="System") returned -1 [0088.269] lstrcmpW (lpString1="..", lpString2="System") returned -1 [0088.269] lstrcmpiW (lpString1="windows", lpString2="System") returned 1 [0088.271] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0088.271] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0088.271] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="System" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System") returned="\\\\?\\C:\\Program Files\\Common Files\\System" [0088.271] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0088.271] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ea8210, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.272] CloseHandle (hObject=0x320) returned 1 [0088.272] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 0 [0088.272] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 69 os_tid = 0xe68 [0088.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*", lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 0x5c89d0 [0088.273] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.273] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0088.273] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.273] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.273] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0088.273] lstrcmpW (lpString1=".", lpString2="Acrobat Reader DC") returned -1 [0088.273] lstrcmpW (lpString1="..", lpString2="Acrobat Reader DC") returned -1 [0088.274] lstrcmpiW (lpString1="windows", lpString2="Acrobat Reader DC") returned 1 [0088.274] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" [0088.274] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned 36 [0088.274] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\", lpString2="Acrobat Reader DC" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC" [0088.274] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" [0088.274] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d40048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.274] CloseHandle (hObject=0x320) returned 1 [0088.274] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 0 [0088.274] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 70 os_tid = 0xe6c [0088.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*", lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 0x5c89d0 [0088.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.276] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0088.276] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.276] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.276] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0088.276] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0088.276] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0088.276] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0088.276] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0088.276] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0088.276] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe" [0088.277] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0088.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d70118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.277] CloseHandle (hObject=0x320) returned 1 [0088.277] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0088.277] lstrcpyW (in: lpString1=0x3d88180, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0088.277] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0088.277] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\How To Restore Files.hta" [0088.277] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\how to restore files.hta")) returned 0xffffffff [0088.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0088.285] WriteFile (in: hFile=0x320, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x31ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x31ffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0088.286] CloseHandle (hObject=0x320) returned 1 [0088.287] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0088.287] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="extensiveadvertisement.exe") returned 1 [0088.287] lstrlenW (lpString="extensiveadvertisement.exe") returned 26 [0088.287] lstrcmpiW (lpString1=".LyaS", lpString2="t.exe") returned -1 [0088.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0088.287] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0088.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="extensiveadvertisement.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe" [0088.288] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe" [0088.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe id-Br3n0G72wUb8CejT.LyaS" [0088.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe" (normalized: "c:\\program files (x86)\\common files\\extensiveadvertisement.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\extensiveadvertisement.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0088.288] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\extensiveadvertisement.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0088.289] CreateFileMappingA (hFile=0x320, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2e8 [0088.289] CryptAcquireContextA (in: phProv=0x31ffce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x31ffce4*=0x5d1a48) returned 1 [0088.290] CryptGenKey (in: hProv=0x5d1a48, Algid=0x6610, dwFlags=0x1, phKey=0x31ffce0 | out: phKey=0x31ffce0*=0x5c8910) returned 1 [0088.290] CryptExportKey (in: hKey=0x5c8910, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x31ffbdc, pdwDataLen=0x31ffcdc | out: pbData=0x31ffbdc*, pdwDataLen=0x31ffcdc*=0x2c) returned 1 [0088.290] MapViewOfFile (hFileMappingObject=0x2e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x3340000 [0088.305] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31ffbdc*, pdwDataLen=0x31ffcf0*=0x40, dwBufLen=0x100 | out: pbData=0x31ffbdc*, pdwDataLen=0x31ffcf0*=0x100) returned 1 [0088.305] CryptEncrypt (in: hKey=0x5c8910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3340000, pdwDataLen=0x31ffcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x3340000*, pdwDataLen=0x31ffcdc*=0x12600) returned 1 [0088.306] UnmapViewOfFile (lpBaseAddress=0x3340000) returned 1 [0088.307] CloseHandle (hObject=0x2e8) returned 1 [0088.307] CryptDestroyKey (hKey=0x5c8910) returned 1 [0088.307] CryptReleaseContext (hProv=0x5d1a48, dwFlags=0x0) returned 1 [0088.307] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.308] WriteFile (in: hFile=0x320, lpBuffer=0x31ffbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x31ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x31ffbdc*, lpNumberOfBytesWritten=0x31ffcf0*=0x100, lpOverlapped=0x0) returned 1 [0088.308] WriteFile (in: hFile=0x320, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x31ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x31ffcf0*=0x500, lpOverlapped=0x0) returned 1 [0088.308] CloseHandle (hObject=0x320) returned 1 [0088.325] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\extensiveadvertisement.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0088.326] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0088.326] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0088.326] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0088.326] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0088.326] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0088.326] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0088.326] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java" [0088.326] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*" [0088.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.327] CloseHandle (hObject=0x320) returned 1 [0088.327] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0088.327] lstrcmpW (lpString1=".", lpString2="Microsoft Shared") returned -1 [0088.327] lstrcmpW (lpString1="..", lpString2="Microsoft Shared") returned -1 [0088.327] lstrcmpiW (lpString1="windows", lpString2="Microsoft Shared") returned 1 [0088.330] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0088.330] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0088.330] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="Microsoft Shared" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared" [0088.330] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0088.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b507a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.331] CloseHandle (hObject=0x320) returned 1 [0088.331] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0088.331] lstrcmpW (lpString1=".", lpString2="Services") returned -1 [0088.331] lstrcmpW (lpString1="..", lpString2="Services") returned -1 [0088.331] lstrcmpiW (lpString1="windows", lpString2="Services") returned 1 [0088.335] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0088.335] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0088.335] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="Services" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services" [0088.335] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" [0088.335] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b68810, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.336] CloseHandle (hObject=0x320) returned 1 [0088.336] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 1 [0088.336] lstrcmpW (lpString1=".", lpString2="System") returned -1 [0088.336] lstrcmpW (lpString1="..", lpString2="System") returned -1 [0088.336] lstrcmpiW (lpString1="windows", lpString2="System") returned 1 [0088.339] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0088.339] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0088.339] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="System" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System" [0088.339] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0088.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b80878, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.340] CloseHandle (hObject=0x320) returned 1 [0088.340] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x31ffd28 | out: lpFindFileData=0x31ffd28) returned 0 [0088.340] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 71 os_tid = 0xe70 [0088.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\*.*", lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 0x5c8a90 [0088.394] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.394] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 1 [0088.394] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.394] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.394] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 1 [0088.394] lstrcmpW (lpString1=".", lpString2="ARM") returned -1 [0088.394] lstrcmpW (lpString1="..", lpString2="ARM") returned -1 [0088.394] lstrcmpiW (lpString1="windows", lpString2="ARM") returned 1 [0089.038] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\*.*" [0089.038] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\*.*") returned 28 [0089.038] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\", lpString2="ARM" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM" [0089.038] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0089.038] GlobalMemoryStatus (in: lpBuffer=0x333fd08 | out: lpBuffer=0x333fd08) [0089.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2ca8008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0089.039] CloseHandle (hObject=0x33c) returned 1 [0089.039] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x333fd28 | out: lpFindFileData=0x333fd28) returned 0 [0089.039] FindClose (in: hFindFile=0x5c8a90 | out: hFindFile=0x5c8a90) returned 1 Thread: id = 72 os_tid = 0xe74 [0088.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*.*", lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 0xffffffff Thread: id = 73 os_tid = 0xdf4 [0088.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Comms\\*.*", lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 0x5c8f10 [0088.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.418] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 1 [0088.488] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.488] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 0 [0088.488] FindClose (in: hFindFile=0x5c8f10 | out: hFindFile=0x5c8f10) returned 1 Thread: id = 74 os_tid = 0x518 [0088.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*.*", lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 0xffffffff Thread: id = 75 os_tid = 0xdf0 [0088.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*.*", lpFindFileData=0x383fd28 | out: lpFindFileData=0x383fd28) returned 0xffffffff Thread: id = 76 os_tid = 0xdf8 [0088.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*.*", lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 0x5c89d0 [0088.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.347] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.347] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.347] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.347] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.347] lstrcmpW (lpString1=".", lpString2="ClickToRun") returned -1 [0088.347] lstrcmpW (lpString1="..", lpString2="ClickToRun") returned -1 [0088.347] lstrcmpiW (lpString1="windows", lpString2="ClickToRun") returned 1 [0088.347] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.347] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.347] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="ClickToRun" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun" [0088.347] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0088.348] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5f6d80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.348] CloseHandle (hObject=0x320) returned 1 [0088.348] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.348] lstrcmpW (lpString1=".", lpString2="Crypto") returned -1 [0088.348] lstrcmpW (lpString1="..", lpString2="Crypto") returned -1 [0088.348] lstrcmpiW (lpString1="windows", lpString2="Crypto") returned 1 [0088.349] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.349] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.349] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Crypto" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto" [0088.349] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0088.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5990048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.350] CloseHandle (hObject=0x320) returned 1 [0088.350] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.350] lstrcmpW (lpString1=".", lpString2="DataMart") returned -1 [0088.350] lstrcmpW (lpString1="..", lpString2="DataMart") returned -1 [0088.350] lstrcmpiW (lpString1="windows", lpString2="DataMart") returned 1 [0088.352] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.352] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.352] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="DataMart" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart" [0088.352] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*.*" [0088.352] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b988e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.353] CloseHandle (hObject=0x320) returned 1 [0088.353] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.353] lstrcmpW (lpString1=".", lpString2="Device Stage") returned -1 [0088.353] lstrcmpW (lpString1="..", lpString2="Device Stage") returned -1 [0088.353] lstrcmpiW (lpString1="windows", lpString2="Device Stage") returned 1 [0088.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.355] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.355] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Device Stage" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage" [0088.355] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" [0088.355] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5bb0948, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.356] CloseHandle (hObject=0x320) returned 1 [0088.356] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.356] lstrcmpW (lpString1=".", lpString2="DeviceSync") returned -1 [0088.356] lstrcmpW (lpString1="..", lpString2="DeviceSync") returned -1 [0088.356] lstrcmpiW (lpString1="windows", lpString2="DeviceSync") returned 1 [0088.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.365] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.365] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="DeviceSync" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync" [0088.365] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*.*" [0088.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5bc89b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.366] CloseHandle (hObject=0x320) returned 1 [0088.366] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.366] lstrcmpW (lpString1=".", lpString2="Diagnosis") returned -1 [0088.366] lstrcmpW (lpString1="..", lpString2="Diagnosis") returned -1 [0088.366] lstrcmpiW (lpString1="windows", lpString2="Diagnosis") returned 1 [0088.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.368] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.368] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Diagnosis" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis" [0088.368] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0088.368] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5be0a18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.369] CloseHandle (hObject=0x320) returned 1 [0088.369] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.369] lstrcmpW (lpString1=".", lpString2="DRM") returned -1 [0088.369] lstrcmpW (lpString1="..", lpString2="DRM") returned -1 [0088.369] lstrcmpiW (lpString1="windows", lpString2="DRM") returned 1 [0088.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.374] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.374] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="DRM" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM" [0088.374] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*" [0088.374] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5bf8a80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.375] CloseHandle (hObject=0x320) returned 1 [0088.375] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.375] lstrcmpW (lpString1=".", lpString2="Event Viewer") returned -1 [0088.375] lstrcmpW (lpString1="..", lpString2="Event Viewer") returned -1 [0088.375] lstrcmpiW (lpString1="windows", lpString2="Event Viewer") returned 1 [0088.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.377] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.377] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Event Viewer" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer" [0088.377] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*" [0088.377] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c10ae8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.378] CloseHandle (hObject=0x320) returned 1 [0088.378] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.378] lstrcmpW (lpString1=".", lpString2="IdentityCRL") returned -1 [0088.378] lstrcmpW (lpString1="..", lpString2="IdentityCRL") returned -1 [0088.378] lstrcmpiW (lpString1="windows", lpString2="IdentityCRL") returned 1 [0088.380] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.380] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.380] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="IdentityCRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL" [0088.380] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" [0088.380] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c28b50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.381] CloseHandle (hObject=0x320) returned 1 [0088.381] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.381] lstrcmpW (lpString1=".", lpString2="MapData") returned -1 [0088.381] lstrcmpW (lpString1="..", lpString2="MapData") returned -1 [0088.381] lstrcmpiW (lpString1="windows", lpString2="MapData") returned 1 [0088.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.383] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.383] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="MapData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MapData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MapData" [0088.383] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MapData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*.*" [0088.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c40bb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.384] CloseHandle (hObject=0x320) returned 1 [0088.384] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.384] lstrcmpW (lpString1=".", lpString2="MF") returned -1 [0088.384] lstrcmpW (lpString1="..", lpString2="MF") returned -1 [0088.384] lstrcmpiW (lpString1="windows", lpString2="MF") returned 1 [0088.386] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.386] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="MF" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF" [0088.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0088.387] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c58c20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0088.387] CloseHandle (hObject=0x320) returned 1 [0088.387] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.387] lstrcmpW (lpString1=".", lpString2="NetFramework") returned -1 [0088.387] lstrcmpW (lpString1="..", lpString2="NetFramework") returned -1 [0088.388] lstrcmpiW (lpString1="windows", lpString2="NetFramework") returned 1 [0088.751] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.751] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.751] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="NetFramework" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework" [0088.751] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*" [0088.751] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0088.751] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c70c88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.752] CloseHandle (hObject=0x350) returned 1 [0088.752] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.752] lstrcmpW (lpString1=".", lpString2="Network") returned -1 [0088.752] lstrcmpW (lpString1="..", lpString2="Network") returned -1 [0088.752] lstrcmpiW (lpString1="windows", lpString2="Network") returned 1 [0088.971] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.971] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.971] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Network" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network" [0088.971] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" [0088.971] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0088.971] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0088.979] CloseHandle (hObject=0x32c) returned 1 [0088.979] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.979] lstrcmpW (lpString1=".", lpString2="Office") returned -1 [0088.979] lstrcmpW (lpString1="..", lpString2="Office") returned -1 [0088.979] lstrcmpiW (lpString1="windows", lpString2="Office") returned 1 [0088.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.982] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.982] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Office" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Office" [0088.982] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*.*" [0088.985] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0088.986] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e41980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0088.986] CloseHandle (hObject=0x32c) returned 1 [0088.986] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.986] lstrcmpW (lpString1=".", lpString2="Provisioning") returned -1 [0088.986] lstrcmpW (lpString1="..", lpString2="Provisioning") returned -1 [0088.986] lstrcmpiW (lpString1="windows", lpString2="Provisioning") returned 1 [0088.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.989] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Provisioning" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning" [0088.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0088.989] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0088.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e599e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0088.990] CloseHandle (hObject=0x32c) returned 1 [0088.990] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.990] lstrcmpW (lpString1=".", lpString2="Search") returned -1 [0088.990] lstrcmpW (lpString1="..", lpString2="Search") returned -1 [0088.990] lstrcmpiW (lpString1="windows", lpString2="Search") returned 1 [0088.993] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.993] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.993] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Search" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search" [0088.993] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*" [0088.993] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0088.993] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e71a50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0088.994] CloseHandle (hObject=0x32c) returned 1 [0088.994] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0088.994] lstrcmpW (lpString1=".", lpString2="SmsRouter") returned -1 [0088.995] lstrcmpW (lpString1="..", lpString2="SmsRouter") returned -1 [0088.995] lstrcmpiW (lpString1="windows", lpString2="SmsRouter") returned 1 [0088.997] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0088.997] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0088.997] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="SmsRouter" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter") returned="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter" [0088.997] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\*.*" [0088.997] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0088.997] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e89ab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.002] CloseHandle (hObject=0x32c) returned 1 [0089.002] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.002] lstrcmpW (lpString1=".", lpString2="User Account Pictures") returned -1 [0089.002] lstrcmpW (lpString1="..", lpString2="User Account Pictures") returned -1 [0089.002] lstrcmpiW (lpString1="windows", lpString2="User Account Pictures") returned 1 [0089.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0089.004] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0089.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="User Account Pictures" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures" [0089.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0089.004] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0089.005] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ea1b20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.005] CloseHandle (hObject=0x32c) returned 1 [0089.005] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.006] lstrcmpW (lpString1=".", lpString2="Vault") returned -1 [0089.006] lstrcmpW (lpString1="..", lpString2="Vault") returned -1 [0089.006] lstrcmpiW (lpString1="windows", lpString2="Vault") returned 1 [0089.008] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0089.008] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0089.008] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Vault" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault" [0089.008] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*" [0089.008] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0089.008] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8eb9b88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.009] CloseHandle (hObject=0x32c) returned 1 [0089.009] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.009] lstrcmpW (lpString1=".", lpString2="WDF") returned -1 [0089.009] lstrcmpW (lpString1="..", lpString2="WDF") returned -1 [0089.009] lstrcmpiW (lpString1="windows", lpString2="WDF") returned 1 [0089.012] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0089.012] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0089.012] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="WDF" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WDF") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WDF" [0089.012] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WDF", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\*.*" [0089.012] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0089.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ed1bf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.014] CloseHandle (hObject=0x32c) returned 1 [0089.014] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.014] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0089.014] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0089.014] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0089.014] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.014] lstrcmpW (lpString1=".", lpString2="Windows Defender") returned -1 [0089.014] lstrcmpW (lpString1="..", lpString2="Windows Defender") returned -1 [0089.014] lstrcmpiW (lpString1="windows", lpString2="Windows Defender") returned -1 [0089.016] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0089.016] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0089.016] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Windows Defender" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender" [0089.016] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0089.016] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0089.017] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ee9c58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.017] CloseHandle (hObject=0x32c) returned 1 [0089.017] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.017] lstrcmpW (lpString1=".", lpString2="Windows Live") returned -1 [0089.017] lstrcmpW (lpString1="..", lpString2="Windows Live") returned -1 [0089.017] lstrcmpiW (lpString1="windows", lpString2="Windows Live") returned -1 [0089.020] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0089.020] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0089.020] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Windows Live" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live" [0089.020] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*" [0089.020] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0089.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f01cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.021] CloseHandle (hObject=0x32c) returned 1 [0089.021] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.021] lstrcmpW (lpString1=".", lpString2="Windows NT") returned -1 [0089.021] lstrcmpW (lpString1="..", lpString2="Windows NT") returned -1 [0089.021] lstrcmpiW (lpString1="windows", lpString2="Windows NT") returned -1 [0089.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0089.024] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0089.024] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Windows NT" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT" [0089.024] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" [0089.024] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0089.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f19d28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.027] CloseHandle (hObject=0x32c) returned 1 [0089.027] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.027] lstrcmpW (lpString1=".", lpString2="WinMSIPC") returned -1 [0089.027] lstrcmpW (lpString1="..", lpString2="WinMSIPC") returned -1 [0089.027] lstrcmpiW (lpString1="windows", lpString2="WinMSIPC") returned -1 [0089.033] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0089.033] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0089.033] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="WinMSIPC" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC" [0089.033] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*.*" [0089.033] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0089.033] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f31d90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.034] CloseHandle (hObject=0x32c) returned 1 [0089.034] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 1 [0089.034] lstrcmpW (lpString1=".", lpString2="WwanSvc") returned -1 [0089.034] lstrcmpW (lpString1="..", lpString2="WwanSvc") returned -1 [0089.034] lstrcmpiW (lpString1="windows", lpString2="WwanSvc") returned -1 [0089.037] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0089.037] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0089.037] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="WwanSvc" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc" [0089.037] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*" [0089.037] GlobalMemoryStatus (in: lpBuffer=0x397fd08 | out: lpBuffer=0x397fd08) [0089.037] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f49df8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0089.038] CloseHandle (hObject=0x32c) returned 1 [0089.038] FindNextFileW (in: hFindFile=0x5c89d0, lpFindFileData=0x397fd28 | out: lpFindFileData=0x397fd28) returned 0 [0089.038] FindClose (in: hFindFile=0x5c89d0 | out: hFindFile=0x5c89d0) returned 1 Thread: id = 77 os_tid = 0xe54 [0088.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*.*", lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 0x5c8c50 [0088.402] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.403] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 1 [0088.403] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.403] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 1 [0088.403] lstrcmpW (lpString1=".", lpString2="setup") returned -1 [0088.403] lstrcmpW (lpString1="..", lpString2="setup") returned -1 [0088.403] lstrcmpiW (lpString1="windows", lpString2="setup") returned 1 [0089.175] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*.*" [0089.175] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*.*") returned 41 [0089.175] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\", lpString2="setup" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup" [0089.175] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*.*" [0089.175] GlobalMemoryStatus (in: lpBuffer=0x3abfd08 | out: lpBuffer=0x3abfd08) [0089.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3dd82c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0089.176] CloseHandle (hObject=0x308) returned 1 [0089.176] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x3abfd28 | out: lpFindFileData=0x3abfd28) returned 0 [0089.176] FindClose (in: hFindFile=0x5c8c50 | out: hFindFile=0x5c8c50) returned 1 Thread: id = 78 os_tid = 0x3c0 [0088.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\*.*", lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 0x5c8a50 [0088.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.393] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 1 [0088.393] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.393] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 1 [0088.393] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0088.393] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0088.393] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0088.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\*.*" [0088.486] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\*.*") returned 29 [0088.486] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java" [0088.486] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" [0088.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c88cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0088.486] CloseHandle (hObject=0x388) returned 1 [0088.487] FindNextFileW (in: hFindFile=0x5c8a50, lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 0 [0088.487] FindClose (in: hFindFile=0x5c8a50 | out: hFindFile=0x5c8a50) returned 1 Thread: id = 79 os_tid = 0xeb0 [0088.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\*.*", lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 0x5c8e50 [0088.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.417] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.571] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.571] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.571] lstrcmpW (lpString1=".", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned -1 [0088.571] lstrcmpW (lpString1="..", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned -1 [0088.571] lstrcmpiW (lpString1="windows", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 1 [0088.574] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.574] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.574] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0088.574] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0088.574] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88b01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.575] CloseHandle (hObject=0x378) returned 1 [0088.575] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.575] lstrcmpW (lpString1=".", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned -1 [0088.575] lstrcmpW (lpString1="..", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned -1 [0088.575] lstrcmpiW (lpString1="windows", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 1 [0088.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.577] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.577] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0088.577] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0088.577] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88c8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.578] CloseHandle (hObject=0x378) returned 1 [0088.578] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.578] lstrcmpW (lpString1=".", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned -1 [0088.578] lstrcmpW (lpString1="..", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned -1 [0088.578] lstrcmpiW (lpString1="windows", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 1 [0088.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.580] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.580] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0088.580] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0088.580] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88e02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.582] CloseHandle (hObject=0x378) returned 1 [0088.582] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.582] lstrcmpW (lpString1=".", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned -1 [0088.582] lstrcmpW (lpString1="..", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned -1 [0088.582] lstrcmpiW (lpString1="windows", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 1 [0088.584] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.585] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.585] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0088.585] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0088.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88f8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.586] CloseHandle (hObject=0x378) returned 1 [0088.586] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.586] lstrcmpW (lpString1=".", lpString2="{74d0e5db-b326-4dae-a6b2-445b9de1836e}") returned -1 [0088.586] lstrcmpW (lpString1="..", lpString2="{74d0e5db-b326-4dae-a6b2-445b9de1836e}") returned -1 [0088.586] lstrcmpiW (lpString1="windows", lpString2="{74d0e5db-b326-4dae-a6b2-445b9de1836e}") returned 1 [0088.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.588] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.588] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{74d0e5db-b326-4dae-a6b2-445b9de1836e}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}" [0088.588] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0088.588] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8910388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.589] CloseHandle (hObject=0x378) returned 1 [0088.589] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.589] lstrcmpW (lpString1=".", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned -1 [0088.589] lstrcmpW (lpString1="..", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned -1 [0088.589] lstrcmpiW (lpString1="windows", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 1 [0088.591] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.591] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.591] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" [0088.591] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0088.591] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89283f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.592] CloseHandle (hObject=0x378) returned 1 [0088.592] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.592] lstrcmpW (lpString1=".", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned -1 [0088.593] lstrcmpW (lpString1="..", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned -1 [0088.593] lstrcmpiW (lpString1="windows", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 1 [0088.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.595] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.595] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0088.595] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0088.595] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8940458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.596] CloseHandle (hObject=0x378) returned 1 [0088.596] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.596] lstrcmpW (lpString1=".", lpString2="{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026") returned -1 [0088.596] lstrcmpW (lpString1="..", lpString2="{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026") returned -1 [0088.596] lstrcmpiW (lpString1="windows", lpString2="{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026") returned 1 [0088.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.598] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.598] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026" [0088.598] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*" [0088.598] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89584c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.599] CloseHandle (hObject=0x378) returned 1 [0088.599] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.599] lstrcmpW (lpString1=".", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned -1 [0088.599] lstrcmpW (lpString1="..", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned -1 [0088.599] lstrcmpiW (lpString1="windows", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 1 [0088.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.601] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.601] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0088.601] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0088.601] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8970528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.602] CloseHandle (hObject=0x378) returned 1 [0088.602] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.602] lstrcmpW (lpString1=".", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned -1 [0088.602] lstrcmpW (lpString1="..", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned -1 [0088.602] lstrcmpiW (lpString1="windows", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 1 [0088.604] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.604] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.604] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0088.605] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0088.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8988590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.606] CloseHandle (hObject=0x378) returned 1 [0088.606] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.606] lstrcmpW (lpString1=".", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned -1 [0088.606] lstrcmpW (lpString1="..", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned -1 [0088.606] lstrcmpiW (lpString1="windows", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 1 [0088.656] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.656] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.656] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0088.656] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0088.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89a05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.657] CloseHandle (hObject=0x378) returned 1 [0088.657] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.657] lstrcmpW (lpString1=".", lpString2="{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026") returned -1 [0088.657] lstrcmpW (lpString1="..", lpString2="{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026") returned -1 [0088.657] lstrcmpiW (lpString1="windows", lpString2="{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026") returned 1 [0088.677] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.677] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.677] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026" [0088.677] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*" [0088.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3f08800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0088.678] CloseHandle (hObject=0x2a4) returned 1 [0088.678] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.678] lstrcmpW (lpString1=".", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned -1 [0088.678] lstrcmpW (lpString1="..", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned -1 [0088.678] lstrcmpiW (lpString1="windows", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 1 [0088.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.680] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.680] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0088.680] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0088.680] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b68db0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0088.681] CloseHandle (hObject=0x2a4) returned 1 [0088.681] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.681] lstrcmpW (lpString1=".", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned -1 [0088.681] lstrcmpW (lpString1="..", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned -1 [0088.682] lstrcmpiW (lpString1="windows", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 1 [0088.684] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.684] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.684] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0088.684] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0088.684] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b80e18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0088.685] CloseHandle (hObject=0x2a4) returned 1 [0088.685] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.685] lstrcmpW (lpString1=".", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned -1 [0088.685] lstrcmpW (lpString1="..", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned -1 [0088.685] lstrcmpiW (lpString1="windows", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 1 [0088.688] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.688] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.688] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" [0088.688] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0088.688] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b98e80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0088.689] CloseHandle (hObject=0x2a4) returned 1 [0088.689] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.689] lstrcmpW (lpString1=".", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned -1 [0088.689] lstrcmpW (lpString1="..", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned -1 [0088.689] lstrcmpiW (lpString1="windows", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 1 [0088.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.691] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.691] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" [0088.691] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0088.691] GlobalMemoryStatus (in: lpBuffer=0x3d3fd08 | out: lpBuffer=0x3d3fd08) [0088.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8bb0ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0088.692] CloseHandle (hObject=0x2a4) returned 1 [0088.692] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.692] lstrcmpW (lpString1=".", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned -1 [0088.693] lstrcmpW (lpString1="..", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned -1 [0088.693] lstrcmpiW (lpString1="windows", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 1 [0088.695] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.695] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.695] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0088.695] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0088.695] GlobalMemoryStatus (in: lpBuffer=0x3d3fd08 | out: lpBuffer=0x3d3fd08) [0088.695] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8bc8f50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0088.696] CloseHandle (hObject=0x2a4) returned 1 [0088.696] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0088.696] lstrcmpW (lpString1=".", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned -1 [0088.696] lstrcmpW (lpString1="..", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned -1 [0088.696] lstrcmpiW (lpString1="windows", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 1 [0088.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0088.699] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0088.699] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0088.699] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0088.699] GlobalMemoryStatus (in: lpBuffer=0x3d3fd08 | out: lpBuffer=0x3d3fd08) [0088.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8be0fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0088.700] CloseHandle (hObject=0x2a4) returned 1 [0088.700] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 0 [0088.700] FindClose (in: hFindFile=0x5c8e50 | out: hFindFile=0x5c8e50) returned 1 Thread: id = 80 os_tid = 0xea8 [0088.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*", lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 0x5c8850 [0088.409] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.409] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 1 [0089.392] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.392] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 1 [0089.392] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0089.392] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned 50 [0089.392] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0089.392] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0xffffffff [0089.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0089.422] WriteFile (in: hFile=0x22c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x407fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x407fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.423] CloseHandle (hObject=0x22c) returned 1 [0089.423] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.423] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned -1 [0089.423] lstrlenW (lpString="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned 82 [0089.423] lstrcmpiW (lpString1=".LyaS", lpString2="idtag") returned -1 [0089.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0089.423] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned 50 [0089.424] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" [0089.424] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" [0089.424] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag id-Br3n0G72wUb8CejT.LyaS" [0089.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), lpNewFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag id-br3n0g72wub8cejt.lyas")) returned 1 [0089.432] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0089.432] CreateFileMappingA (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x238 [0089.433] CryptAcquireContextA (in: phProv=0x407fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x407fce4*=0x5d1470) returned 1 [0089.433] CryptGenKey (in: hProv=0x5d1470, Algid=0x6610, dwFlags=0x1, phKey=0x407fce0 | out: phKey=0x407fce0*=0x5c8750) returned 1 [0089.433] CryptExportKey (in: hKey=0x5c8750, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x407fbdc, pdwDataLen=0x407fcdc | out: pbData=0x407fbdc*, pdwDataLen=0x407fcdc*=0x2c) returned 1 [0089.433] MapViewOfFile (hFileMappingObject=0x238, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x420) returned 0x30c0000 [0089.975] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x407fbdc*, pdwDataLen=0x407fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x407fbdc*, pdwDataLen=0x407fcf0*=0x100) returned 1 [0089.975] CryptEncrypt (in: hKey=0x5c8750, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30c0000*, pdwDataLen=0x407fcdc*=0x420, dwBufLen=0x420 | out: pbData=0x30c0000*, pdwDataLen=0x407fcdc*=0x420) returned 1 [0089.975] UnmapViewOfFile (lpBaseAddress=0x30c0000) returned 1 [0089.976] CloseHandle (hObject=0x238) returned 1 [0089.976] CryptDestroyKey (hKey=0x5c8750) returned 1 [0089.976] CryptReleaseContext (hProv=0x5d1470, dwFlags=0x0) returned 1 [0089.976] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.976] WriteFile (in: hFile=0x22c, lpBuffer=0x407fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x407fcf0, lpOverlapped=0x0 | out: lpBuffer=0x407fbdc*, lpNumberOfBytesWritten=0x407fcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.039] WriteFile (in: hFile=0x22c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x407fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x407fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.039] CloseHandle (hObject=0x22c) returned 1 [0090.040] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.041] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 1 [0090.041] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0090.041] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned 50 [0090.041] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0090.041] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0x1 [0090.041] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned -1 [0090.041] lstrlenW (lpString="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned 78 [0090.041] lstrcmpiW (lpString1=".LyaS", lpString2="idtag") returned -1 [0090.041] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0090.041] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned 50 [0090.041] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" [0090.041] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" [0090.041] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag id-Br3n0G72wUb8CejT.LyaS" [0090.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), lpNewFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag id-br3n0g72wub8cejt.lyas")) returned 1 [0090.057] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0090.057] CreateFileMappingA (hFile=0x364, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x22c [0090.057] CryptAcquireContextA (in: phProv=0x407fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x407fce4*=0x5d1690) returned 1 [0090.058] CryptGenKey (in: hProv=0x5d1690, Algid=0x6610, dwFlags=0x1, phKey=0x407fce0 | out: phKey=0x407fce0*=0x5c9010) returned 1 [0090.058] CryptExportKey (in: hKey=0x5c9010, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x407fbdc, pdwDataLen=0x407fcdc | out: pbData=0x407fbdc*, pdwDataLen=0x407fcdc*=0x2c) returned 1 [0090.058] MapViewOfFile (hFileMappingObject=0x22c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x420) returned 0x30c0000 [0090.086] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x407fbdc*, pdwDataLen=0x407fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x407fbdc*, pdwDataLen=0x407fcf0*=0x100) returned 1 [0090.086] CryptEncrypt (in: hKey=0x5c9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30c0000*, pdwDataLen=0x407fcdc*=0x420, dwBufLen=0x420 | out: pbData=0x30c0000*, pdwDataLen=0x407fcdc*=0x420) returned 1 [0090.086] UnmapViewOfFile (lpBaseAddress=0x30c0000) returned 1 [0090.087] CloseHandle (hObject=0x22c) returned 1 [0090.087] CryptDestroyKey (hKey=0x5c9010) returned 1 [0090.087] CryptReleaseContext (hProv=0x5d1690, dwFlags=0x0) returned 1 [0090.087] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.087] WriteFile (in: hFile=0x364, lpBuffer=0x407fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x407fcf0, lpOverlapped=0x0 | out: lpBuffer=0x407fbdc*, lpNumberOfBytesWritten=0x407fcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.088] WriteFile (in: hFile=0x364, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x407fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x407fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.088] CloseHandle (hObject=0x364) returned 1 [0090.089] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.089] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 1 [0090.089] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0090.089] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned 50 [0090.089] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0090.089] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0x1 [0090.090] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned -1 [0090.090] lstrlenW (lpString="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned 81 [0090.090] lstrcmpiW (lpString1=".LyaS", lpString2="idtag") returned -1 [0090.090] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0090.090] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned 50 [0090.090] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" [0090.090] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" [0090.090] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag id-Br3n0G72wUb8CejT.LyaS" [0090.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), lpNewFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag id-br3n0g72wub8cejt.lyas")) returned 1 [0090.094] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0090.094] CreateFileMappingA (hFile=0x364, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x22c [0090.094] CryptAcquireContextA (in: phProv=0x407fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x407fce4*=0x5d0fa8) returned 1 [0090.095] CryptGenKey (in: hProv=0x5d0fa8, Algid=0x6610, dwFlags=0x1, phKey=0x407fce0 | out: phKey=0x407fce0*=0x5c9110) returned 1 [0090.095] CryptExportKey (in: hKey=0x5c9110, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x407fbdc, pdwDataLen=0x407fcdc | out: pbData=0x407fbdc*, pdwDataLen=0x407fcdc*=0x2c) returned 1 [0090.095] MapViewOfFile (hFileMappingObject=0x22c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x420) returned 0x30c0000 [0090.295] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x407fbdc*, pdwDataLen=0x407fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x407fbdc*, pdwDataLen=0x407fcf0*=0x100) returned 1 [0090.295] CryptEncrypt (in: hKey=0x5c9110, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30c0000*, pdwDataLen=0x407fcdc*=0x420, dwBufLen=0x420 | out: pbData=0x30c0000*, pdwDataLen=0x407fcdc*=0x420) returned 1 [0090.295] UnmapViewOfFile (lpBaseAddress=0x30c0000) returned 1 [0090.295] CloseHandle (hObject=0x22c) returned 1 [0090.295] CryptDestroyKey (hKey=0x5c9110) returned 1 [0090.295] CryptReleaseContext (hProv=0x5d0fa8, dwFlags=0x0) returned 1 [0090.295] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.295] WriteFile (in: hFile=0x364, lpBuffer=0x407fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x407fcf0, lpOverlapped=0x0 | out: lpBuffer=0x407fbdc*, lpNumberOfBytesWritten=0x407fcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.296] WriteFile (in: hFile=0x364, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x407fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x407fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.296] CloseHandle (hObject=0x364) returned 1 [0090.297] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.297] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 1 [0090.297] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0090.297] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned 50 [0090.297] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0090.297] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0x1 [0090.297] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned -1 [0090.297] lstrlenW (lpString="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned 50 [0090.297] lstrcmpiW (lpString1=".LyaS", lpString2="idtag") returned -1 [0090.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*" [0090.298] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*.*") returned 50 [0090.298] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\", lpString2="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" [0090.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" [0090.298] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag id-Br3n0G72wUb8CejT.LyaS" [0090.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), lpNewFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag id-br3n0g72wub8cejt.lyas")) returned 0 [0090.412] FindNextFileW (in: hFindFile=0x5c8850, lpFindFileData=0x407fd28 | out: lpFindFileData=0x407fd28) returned 0 [0090.412] FindClose (in: hFindFile=0x5c8850 | out: hFindFile=0x5c8850) returned 1 Thread: id = 81 os_tid = 0x628 [0088.394] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\*.*", lpFindFileData=0x42ffd28 | out: lpFindFileData=0x42ffd28) returned 0x5c8510 [0088.404] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.404] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x42ffd28 | out: lpFindFileData=0x42ffd28) returned 1 [0088.404] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.404] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.405] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x42ffd28 | out: lpFindFileData=0x42ffd28) returned 0 [0088.405] FindClose (in: hFindFile=0x5c8510 | out: hFindFile=0x5c8510) returned 1 Thread: id = 82 os_tid = 0xe8c [0088.395] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Start Menu\\*.*", lpFindFileData=0x443fd28 | out: lpFindFileData=0x443fd28) returned 0xffffffff Thread: id = 83 os_tid = 0xa38 [0088.395] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Templates\\*.*", lpFindFileData=0x457fd28 | out: lpFindFileData=0x457fd28) returned 0xffffffff Thread: id = 84 os_tid = 0x954 [0088.395] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\*.*", lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 0x5c84d0 [0088.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.403] FindNextFileW (in: hFindFile=0x5c84d0, lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 1 [0088.403] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.403] FindNextFileW (in: hFindFile=0x5c84d0, lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 1 [0088.403] lstrcmpW (lpString1=".", lpString2="UpdateStore") returned -1 [0088.403] lstrcmpW (lpString1="..", lpString2="UpdateStore") returned -1 [0088.403] lstrcmpiW (lpString1="windows", lpString2="UpdateStore") returned 1 [0089.180] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOPrivate\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\*.*") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\*.*" [0089.180] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOPrivate\\*.*") returned 33 [0089.180] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\", lpString2="UpdateStore" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore" [0089.180] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*" [0089.180] GlobalMemoryStatus (in: lpBuffer=0x46bfd08 | out: lpBuffer=0x46bfd08) [0089.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c180b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.181] CloseHandle (hObject=0x344) returned 1 [0089.181] FindNextFileW (in: hFindFile=0x5c84d0, lpFindFileData=0x46bfd28 | out: lpFindFileData=0x46bfd28) returned 0 [0089.181] FindClose (in: hFindFile=0x5c84d0 | out: hFindFile=0x5c84d0) returned 1 Thread: id = 85 os_tid = 0x858 [0088.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\*.*", lpFindFileData=0x47ffd28 | out: lpFindFileData=0x47ffd28) returned 0x5c8c90 [0088.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.403] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0x47ffd28 | out: lpFindFileData=0x47ffd28) returned 1 [0088.403] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.403] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0x47ffd28 | out: lpFindFileData=0x47ffd28) returned 1 [0088.403] lstrcmpW (lpString1=".", lpString2="Logs") returned -1 [0088.403] lstrcmpW (lpString1="..", lpString2="Logs") returned -1 [0088.403] lstrcmpiW (lpString1="windows", lpString2="Logs") returned 1 [0089.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\*.*" [0089.179] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\*.*") returned 32 [0089.179] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\", lpString2="Logs" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs" [0089.179] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0089.179] GlobalMemoryStatus (in: lpBuffer=0x47ffd08 | out: lpBuffer=0x47ffd08) [0089.179] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2cc0070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x310 [0089.180] CloseHandle (hObject=0x310) returned 1 [0089.180] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0x47ffd28 | out: lpFindFileData=0x47ffd28) returned 0 [0089.180] FindClose (in: hFindFile=0x5c8c90 | out: hFindFile=0x5c8c90) returned 1 Thread: id = 86 os_tid = 0xad0 [0088.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\*.*", lpFindFileData=0x493fd28 | out: lpFindFileData=0x493fd28) returned 0x5c86d0 [0088.396] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.396] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x493fd28 | out: lpFindFileData=0x493fd28) returned 1 [0088.396] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.396] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.396] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x493fd28 | out: lpFindFileData=0x493fd28) returned 1 [0089.039] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" [0089.040] lstrlenW (lpString="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned 29 [0089.040] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\How To Restore Files.hta") returned="\\\\?\\C:\\Recovery\\WindowsRE\\How To Restore Files.hta" [0089.040] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\How To Restore Files.hta" (normalized: "c:\\recovery\\windowsre\\how to restore files.hta")) returned 0xffffffff [0089.040] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\How To Restore Files.hta" (normalized: "c:\\recovery\\windowsre\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0089.041] WriteFile (in: hFile=0x2e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x493fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x493fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.042] CloseHandle (hObject=0x2e8) returned 1 [0089.042] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.042] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="boot.sdi") returned 1 [0089.042] lstrlenW (lpString="boot.sdi") returned 8 [0089.042] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" [0089.042] lstrlenW (lpString="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned 29 [0089.043] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\", lpString2="boot.sdi" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi") returned="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi" [0089.043] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi") returned="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi" [0089.043] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi id-Br3n0G72wUb8CejT.LyaS" [0089.043] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "c:\\recovery\\windowsre\\boot.sdi"), lpNewFileName="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\recovery\\windowsre\\boot.sdi id-br3n0g72wub8cejt.lyas")) returned 1 [0089.045] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\recovery\\windowsre\\boot.sdi id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0089.045] CreateFileMappingA (hFile=0x2e8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x33c [0089.045] CryptAcquireContextA (in: phProv=0x493fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x493fce4*=0x5d10b8) returned 1 [0089.046] CryptGenKey (in: hProv=0x5d10b8, Algid=0x6610, dwFlags=0x1, phKey=0x493fce0 | out: phKey=0x493fce0*=0x5c89d0) returned 1 [0089.046] CryptExportKey (in: hKey=0x5c89d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x493fbdc, pdwDataLen=0x493fcdc | out: pbData=0x493fbdc*, pdwDataLen=0x493fcdc*=0x2c) returned 1 [0089.046] MapViewOfFile (hFileMappingObject=0x33c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xf590000 [0089.764] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x493fbdc*, pdwDataLen=0x493fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x493fbdc*, pdwDataLen=0x493fcf0*=0x100) returned 1 [0089.764] CryptEncrypt (in: hKey=0x5c89d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xf590000, pdwDataLen=0x493fcdc*=0x100000, dwBufLen=0x100000 | out: pbData=0xf590000*, pdwDataLen=0x493fcdc*=0x100000) returned 1 [0093.151] UnmapViewOfFile (lpBaseAddress=0xf590000) returned 1 [0093.162] CloseHandle (hObject=0x33c) returned 1 [0093.162] CryptDestroyKey (hKey=0x5c89d0) returned 1 [0093.459] CryptReleaseContext (hProv=0x5d10b8, dwFlags=0x0) returned 1 [0093.459] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.459] WriteFile (in: hFile=0x2e8, lpBuffer=0x493fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x493fcf0, lpOverlapped=0x0 | out: lpBuffer=0x493fbdc*, lpNumberOfBytesWritten=0x493fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.470] WriteFile (in: hFile=0x2e8, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x493fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x493fcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.470] CloseHandle (hObject=0x2e8) returned 1 [0096.498] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0096.500] FindNextFileW (in: hFindFile=0x5c86d0, lpFindFileData=0x493fd28 | out: lpFindFileData=0x493fd28) returned 1 [0097.015] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" [0097.016] lstrlenW (lpString="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned 29 [0097.016] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\How To Restore Files.hta") returned="\\\\?\\C:\\Recovery\\WindowsRE\\How To Restore Files.hta" [0097.016] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\How To Restore Files.hta" (normalized: "c:\\recovery\\windowsre\\how to restore files.hta")) returned 0x1 [0097.016] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ReAgent.xml") returned -1 [0097.016] lstrlenW (lpString="ReAgent.xml") returned 11 [0097.016] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned="\\\\?\\C:\\Recovery\\WindowsRE\\*.*" [0097.016] lstrlenW (lpString="\\\\?\\C:\\Recovery\\WindowsRE\\*.*") returned 29 [0097.016] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\", lpString2="ReAgent.xml" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml") returned="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml" [0097.016] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml") returned="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml" [0097.016] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml id-Br3n0G72wUb8CejT.LyaS" [0097.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "c:\\recovery\\windowsre\\reagent.xml"), lpNewFileName="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\recovery\\windowsre\\reagent.xml id-br3n0g72wub8cejt.lyas")) Thread: id = 87 os_tid = 0xa3c [0088.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*", lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 0x5c8b10 [0088.397] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.397] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0088.397] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.397] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.398] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 1 [0089.077] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*" [0089.077] lstrlenW (lpString="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*") returned 31 [0089.077] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Boot\\Resources\\en-US\\How To Restore Files.hta" [0089.077] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\How To Restore Files.hta" (normalized: "c:\\boot\\resources\\en-us\\how to restore files.hta")) returned 0xffffffff [0089.077] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\How To Restore Files.hta" (normalized: "c:\\boot\\resources\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0089.078] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2bffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2bffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.079] CloseHandle (hObject=0x32c) returned 1 [0089.079] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.080] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bootres.dll.mui") returned 1 [0089.080] lstrlenW (lpString="bootres.dll.mui") returned 15 [0089.080] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*" [0089.080] lstrlenW (lpString="\\\\?\\C:\\Boot\\Resources\\en-US\\*.*") returned 31 [0089.080] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\", lpString2="bootres.dll.mui" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui") returned="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" [0089.080] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui") returned="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" [0089.080] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0089.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), lpNewFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0089.080] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x2bffd28 | out: lpFindFileData=0x2bffd28) returned 0 [0089.080] FindClose (in: hFindFile=0x5c8b10 | out: hFindFile=0x5c8b10) returned 1 Thread: id = 88 os_tid = 0xf0 [0088.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\*.*", lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 0x5c8b50 [0088.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.417] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.512] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.512] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.512] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0088.512] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0088.512] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0088.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.512] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.512] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe") returned="\\\\?\\C:\\Users\\All Users\\Adobe" [0088.512] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*" [0088.512] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e600d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.513] CloseHandle (hObject=0x378) returned 1 [0088.513] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.513] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0088.513] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0088.513] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0088.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.515] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data") returned="\\\\?\\C:\\Users\\All Users\\Application Data" [0088.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Application Data\\*.*" [0088.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5cf8dd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.516] CloseHandle (hObject=0x378) returned 1 [0088.516] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.516] lstrcmpW (lpString1=".", lpString2="Comms") returned -1 [0088.516] lstrcmpW (lpString1="..", lpString2="Comms") returned -1 [0088.516] lstrcmpiW (lpString1="windows", lpString2="Comms") returned 1 [0088.518] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.518] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.518] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Comms" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Comms") returned="\\\\?\\C:\\Users\\All Users\\Comms" [0088.518] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Comms", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Comms\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Comms\\*.*" [0088.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d10e38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.519] CloseHandle (hObject=0x378) returned 1 [0088.519] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.519] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0088.519] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0088.519] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0088.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.521] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.521] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop") returned="\\\\?\\C:\\Users\\All Users\\Desktop" [0088.521] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Desktop\\*.*" [0088.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d28ea0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.521] CloseHandle (hObject=0x378) returned 1 [0088.521] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.521] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0088.521] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0088.521] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0088.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.523] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents") returned="\\\\?\\C:\\Users\\All Users\\Documents" [0088.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Documents\\*.*" [0088.523] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d40f08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.524] CloseHandle (hObject=0x378) returned 1 [0088.524] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.524] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0088.524] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0088.524] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0088.526] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.526] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.526] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft") returned="\\\\?\\C:\\Users\\All Users\\Microsoft" [0088.526] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0088.530] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d58f70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.531] CloseHandle (hObject=0x378) returned 1 [0088.531] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.531] lstrcmpW (lpString1=".", lpString2="Microsoft OneDrive") returned -1 [0088.531] lstrcmpW (lpString1="..", lpString2="Microsoft OneDrive") returned -1 [0088.531] lstrcmpiW (lpString1="windows", lpString2="Microsoft OneDrive") returned 1 [0088.534] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.534] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Microsoft OneDrive" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive" [0088.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*.*" [0088.534] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8850048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.535] CloseHandle (hObject=0x378) returned 1 [0088.535] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.535] lstrcmpW (lpString1=".", lpString2="Oracle") returned -1 [0088.535] lstrcmpW (lpString1="..", lpString2="Oracle") returned -1 [0088.535] lstrcmpiW (lpString1="windows", lpString2="Oracle") returned 1 [0088.537] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.537] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.537] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Oracle" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle") returned="\\\\?\\C:\\Users\\All Users\\Oracle" [0088.537] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*" [0088.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88680b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.543] CloseHandle (hObject=0x378) returned 1 [0088.543] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.543] lstrcmpW (lpString1=".", lpString2="Package Cache") returned -1 [0088.543] lstrcmpW (lpString1="..", lpString2="Package Cache") returned -1 [0088.543] lstrcmpiW (lpString1="windows", lpString2="Package Cache") returned 1 [0088.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.545] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.545] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Package Cache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache") returned="\\\\?\\C:\\Users\\All Users\\Package Cache" [0088.545] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0088.545] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8880118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.546] CloseHandle (hObject=0x378) returned 1 [0088.546] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.546] lstrcmpW (lpString1=".", lpString2="regid.1991-06.com.microsoft") returned -1 [0088.546] lstrcmpW (lpString1="..", lpString2="regid.1991-06.com.microsoft") returned -1 [0088.546] lstrcmpiW (lpString1="windows", lpString2="regid.1991-06.com.microsoft") returned 1 [0088.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.609] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="regid.1991-06.com.microsoft" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft" [0088.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" [0088.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8898180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.610] CloseHandle (hObject=0x378) returned 1 [0088.610] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.610] lstrcmpW (lpString1=".", lpString2="SoftwareDistribution") returned -1 [0088.611] lstrcmpW (lpString1="..", lpString2="SoftwareDistribution") returned -1 [0088.611] lstrcmpiW (lpString1="windows", lpString2="SoftwareDistribution") returned 1 [0088.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.659] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.659] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="SoftwareDistribution" | out: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution") returned="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution" [0088.659] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\*.*") returned="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\*.*" [0088.659] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8af0ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.660] CloseHandle (hObject=0x378) returned 1 [0088.660] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.660] lstrcmpW (lpString1=".", lpString2="Start Menu") returned -1 [0088.660] lstrcmpW (lpString1="..", lpString2="Start Menu") returned -1 [0088.660] lstrcmpiW (lpString1="windows", lpString2="Start Menu") returned 1 [0088.662] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.662] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Start Menu" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu") returned="\\\\?\\C:\\Users\\All Users\\Start Menu" [0088.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Start Menu\\*.*" [0088.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b08c10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.663] CloseHandle (hObject=0x378) returned 1 [0088.663] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.663] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0088.664] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0088.664] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0088.666] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.666] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.666] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates") returned="\\\\?\\C:\\Users\\All Users\\Templates" [0088.666] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Templates\\*.*" [0088.666] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b20c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.667] CloseHandle (hObject=0x378) returned 1 [0088.667] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.667] lstrcmpW (lpString1=".", lpString2="USOPrivate") returned -1 [0088.667] lstrcmpW (lpString1="..", lpString2="USOPrivate") returned -1 [0088.667] lstrcmpiW (lpString1="windows", lpString2="USOPrivate") returned 1 [0088.671] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.671] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.671] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="USOPrivate" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate" [0088.671] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*.*") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*.*" [0088.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b38ce0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.672] CloseHandle (hObject=0x378) returned 1 [0088.672] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0088.672] lstrcmpW (lpString1=".", lpString2="USOShared") returned -1 [0088.672] lstrcmpW (lpString1="..", lpString2="USOShared") returned -1 [0088.672] lstrcmpiW (lpString1="windows", lpString2="USOShared") returned 1 [0088.674] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0088.674] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0088.674] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="USOShared" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared") returned="\\\\?\\C:\\Users\\All Users\\USOShared" [0088.674] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\*.*") returned="\\\\?\\C:\\Users\\All Users\\USOShared\\*.*" [0088.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b50d48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.675] CloseHandle (hObject=0x378) returned 1 [0088.675] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 0 [0088.675] FindClose (in: hFindFile=0x5c8b50 | out: hFindFile=0x5c8b50) returned 1 Thread: id = 89 os_tid = 0x1f4 [0088.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*", lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 0x5c8b90 [0088.398] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.398] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0088.398] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.398] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.399] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0088.399] lstrcmpW (lpString1=".", lpString2="AppData") returned -1 [0088.399] lstrcmpW (lpString1="..", lpString2="AppData") returned -1 [0088.399] lstrcmpiW (lpString1="windows", lpString2="AppData") returned 1 [0089.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.082] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.082] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="AppData" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData" [0089.082] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*" [0089.082] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.082] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x60ede8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.083] CloseHandle (hObject=0x30c) returned 1 [0089.083] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.083] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0089.083] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0089.083] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0089.083] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.083] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Application Data") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Application Data" [0089.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*.*" [0089.083] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.083] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.084] CloseHandle (hObject=0x30c) returned 1 [0089.084] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.084] lstrcmpW (lpString1=".", lpString2="Contacts") returned -1 [0089.084] lstrcmpW (lpString1="..", lpString2="Contacts") returned -1 [0089.084] lstrcmpiW (lpString1="windows", lpString2="Contacts") returned 1 [0089.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.085] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Contacts" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts" [0089.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0089.085] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.085] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f61e60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.086] CloseHandle (hObject=0x30c) returned 1 [0089.086] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.086] lstrcmpW (lpString1=".", lpString2="Cookies") returned -1 [0089.086] lstrcmpW (lpString1="..", lpString2="Cookies") returned -1 [0089.086] lstrcmpiW (lpString1="windows", lpString2="Cookies") returned 1 [0089.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.087] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Cookies" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Cookies") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Cookies" [0089.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Cookies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*.*" [0089.087] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ed0008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.087] CloseHandle (hObject=0x30c) returned 1 [0089.087] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.088] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0089.088] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0089.088] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0089.091] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.091] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop" [0089.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" [0089.091] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.091] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f79ec8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.094] CloseHandle (hObject=0x30c) returned 1 [0089.094] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.094] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0089.094] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0089.094] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0089.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.097] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.097] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents" [0089.097] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0089.097] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.097] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f91f30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.098] CloseHandle (hObject=0x30c) returned 1 [0089.098] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.098] lstrcmpW (lpString1=".", lpString2="Downloads") returned -1 [0089.098] lstrcmpW (lpString1="..", lpString2="Downloads") returned -1 [0089.098] lstrcmpiW (lpString1="windows", lpString2="Downloads") returned 1 [0089.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.101] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Downloads" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads" [0089.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*" [0089.101] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.101] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8fa9f98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.102] CloseHandle (hObject=0x30c) returned 1 [0089.102] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.102] lstrcmpW (lpString1=".", lpString2="Favorites") returned -1 [0089.102] lstrcmpW (lpString1="..", lpString2="Favorites") returned -1 [0089.102] lstrcmpiW (lpString1="windows", lpString2="Favorites") returned 1 [0089.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.104] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.104] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Favorites" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites" [0089.105] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" [0089.105] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8fc2000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.105] CloseHandle (hObject=0x30c) returned 1 [0089.105] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.105] lstrcmpW (lpString1=".", lpString2="Links") returned -1 [0089.105] lstrcmpW (lpString1="..", lpString2="Links") returned -1 [0089.106] lstrcmpiW (lpString1="windows", lpString2="Links") returned 1 [0089.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.108] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Links" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links" [0089.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" [0089.108] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8fda068, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.109] CloseHandle (hObject=0x30c) returned 1 [0089.109] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.109] lstrcmpW (lpString1=".", lpString2="Local Settings") returned -1 [0089.109] lstrcmpW (lpString1="..", lpString2="Local Settings") returned -1 [0089.109] lstrcmpiW (lpString1="windows", lpString2="Local Settings") returned 1 [0089.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.111] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Local Settings" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Local Settings") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Local Settings" [0089.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Local Settings", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Local Settings\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Local Settings\\*.*" [0089.111] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.112] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ff20d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.112] CloseHandle (hObject=0x30c) returned 1 [0089.112] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.112] lstrcmpW (lpString1=".", lpString2="Music") returned -1 [0089.112] lstrcmpW (lpString1="..", lpString2="Music") returned -1 [0089.112] lstrcmpiW (lpString1="windows", lpString2="Music") returned 1 [0089.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.115] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Music" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music" [0089.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0089.115] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.115] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x900a138, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.116] CloseHandle (hObject=0x30c) returned 1 [0089.116] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.116] lstrcmpW (lpString1=".", lpString2="My Documents") returned -1 [0089.116] lstrcmpW (lpString1="..", lpString2="My Documents") returned -1 [0089.116] lstrcmpiW (lpString1="windows", lpString2="My Documents") returned 1 [0089.118] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.118] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="My Documents" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\My Documents") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\My Documents" [0089.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\My Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*.*" [0089.118] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x90221a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.119] CloseHandle (hObject=0x30c) returned 1 [0089.119] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.119] lstrcmpW (lpString1=".", lpString2="NetHood") returned -1 [0089.119] lstrcmpW (lpString1="..", lpString2="NetHood") returned -1 [0089.119] lstrcmpiW (lpString1="windows", lpString2="NetHood") returned 1 [0089.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.123] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NetHood" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NetHood") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NetHood" [0089.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NetHood", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*.*" [0089.123] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10590048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.124] CloseHandle (hObject=0x30c) returned 1 [0089.124] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.124] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.124] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.124] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" [0089.124] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\how to restore files.hta")) returned 0xffffffff [0089.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0089.125] WriteFile (in: hFile=0x30c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4a7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4a7fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.126] CloseHandle (hObject=0x30c) returned 1 [0089.127] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.128] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NTUSER.DAT") returned -1 [0089.128] lstrlenW (lpString="NTUSER.DAT") returned 10 [0089.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.128] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT" [0089.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT" [0089.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS" [0089.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat id-br3n0g72wub8cejt.lyas")) returned 0 [0089.128] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.128] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.128] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" [0089.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\how to restore files.hta")) returned 0x1 [0089.128] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ntuser.dat.LOG1") returned -1 [0089.128] lstrlenW (lpString="ntuser.dat.LOG1") returned 15 [0089.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.129] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="ntuser.dat.LOG1" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1" [0089.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1" [0089.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1 id-Br3n0G72wUb8CejT.LyaS" [0089.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat.log1 id-br3n0g72wub8cejt.lyas")) returned 0 [0089.129] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.129] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.129] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" [0089.129] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\how to restore files.hta")) returned 0x1 [0089.129] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ntuser.dat.LOG2") returned -1 [0089.129] lstrlenW (lpString="ntuser.dat.LOG2") returned 15 [0089.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.129] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="ntuser.dat.LOG2" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2" [0089.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2" [0089.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2 id-Br3n0G72wUb8CejT.LyaS" [0089.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat.log2"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat.log2 id-br3n0g72wub8cejt.lyas")) returned 0 [0089.130] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.130] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.130] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" [0089.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\how to restore files.hta")) returned 0x1 [0089.130] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned -1 [0089.130] lstrlenW (lpString="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 55 [0089.130] lstrcmpiW (lpString1=".LyaS", lpString2="M.blf") returned -1 [0089.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.130] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" [0089.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" [0089.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf id-Br3n0G72wUb8CejT.LyaS" [0089.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf id-br3n0g72wub8cejt.lyas")) returned 0 [0089.130] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.130] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.130] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" [0089.131] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\how to restore files.hta")) returned 0x1 [0089.131] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0089.131] lstrlenW (lpString="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 92 [0089.131] lstrcmpiW (lpString1=".LyaS", lpString2="ns-ms") returned -1 [0089.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.131] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" [0089.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" [0089.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms id-Br3n0G72wUb8CejT.LyaS" [0089.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms id-br3n0g72wub8cejt.lyas")) returned 0 [0089.131] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.131] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.131] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" [0089.131] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\how to restore files.hta")) returned 0x1 [0089.131] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0089.131] lstrlenW (lpString="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 92 [0089.131] lstrcmpiW (lpString1=".LyaS", lpString2="ns-ms") returned -1 [0089.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.132] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.132] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" [0089.132] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" [0089.132] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms id-Br3n0G72wUb8CejT.LyaS" [0089.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms id-br3n0g72wub8cejt.lyas")) returned 0 [0089.132] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.132] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.132] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.132] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" [0089.132] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\how to restore files.hta")) returned 0x1 [0089.132] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.132] lstrcmpW (lpString1=".", lpString2="OneDrive") returned -1 [0089.132] lstrcmpW (lpString1="..", lpString2="OneDrive") returned -1 [0089.132] lstrcmpiW (lpString1="windows", lpString2="OneDrive") returned 1 [0089.135] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.135] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.135] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="OneDrive" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive" [0089.135] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*" [0089.135] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.136] CloseHandle (hObject=0x30c) returned 1 [0089.136] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.136] lstrcmpW (lpString1=".", lpString2="Pictures") returned -1 [0089.136] lstrcmpW (lpString1="..", lpString2="Pictures") returned -1 [0089.136] lstrcmpiW (lpString1="windows", lpString2="Pictures") returned 1 [0089.139] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.139] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.139] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Pictures" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures" [0089.139] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0089.139] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.139] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.140] CloseHandle (hObject=0x30c) returned 1 [0089.140] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.140] lstrcmpW (lpString1=".", lpString2="PrintHood") returned -1 [0089.140] lstrcmpW (lpString1="..", lpString2="PrintHood") returned -1 [0089.140] lstrcmpiW (lpString1="windows", lpString2="PrintHood") returned 1 [0089.143] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.143] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.143] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="PrintHood" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\PrintHood") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\PrintHood" [0089.143] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\PrintHood", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*.*" [0089.143] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.143] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105d8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.144] CloseHandle (hObject=0x30c) returned 1 [0089.144] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.144] lstrcmpW (lpString1=".", lpString2="Recent") returned -1 [0089.144] lstrcmpW (lpString1="..", lpString2="Recent") returned -1 [0089.144] lstrcmpiW (lpString1="windows", lpString2="Recent") returned 1 [0089.146] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.146] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.146] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Recent" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Recent") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Recent" [0089.146] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Recent", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Recent\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Recent\\*.*" [0089.146] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.147] CloseHandle (hObject=0x30c) returned 1 [0089.147] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.147] lstrcmpW (lpString1=".", lpString2="Saved Games") returned -1 [0089.147] lstrcmpW (lpString1="..", lpString2="Saved Games") returned -1 [0089.147] lstrcmpiW (lpString1="windows", lpString2="Saved Games") returned 1 [0089.150] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.150] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.150] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Saved Games" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games" [0089.150] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*" [0089.150] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.150] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10608250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.151] CloseHandle (hObject=0x30c) returned 1 [0089.151] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.151] lstrcmpW (lpString1=".", lpString2="Searches") returned -1 [0089.151] lstrcmpW (lpString1="..", lpString2="Searches") returned -1 [0089.151] lstrcmpiW (lpString1="windows", lpString2="Searches") returned 1 [0089.153] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.153] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.153] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Searches" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches" [0089.153] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" [0089.153] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.153] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106202b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.155] CloseHandle (hObject=0x30c) returned 1 [0089.155] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.155] lstrcmpW (lpString1=".", lpString2="SendTo") returned -1 [0089.155] lstrcmpW (lpString1="..", lpString2="SendTo") returned -1 [0089.155] lstrcmpiW (lpString1="windows", lpString2="SendTo") returned 1 [0089.157] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.157] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.157] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="SendTo" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\SendTo") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\SendTo" [0089.157] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\SendTo", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*.*" [0089.157] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.157] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10638320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.158] CloseHandle (hObject=0x30c) returned 1 [0089.158] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.158] lstrcmpW (lpString1=".", lpString2="Start Menu") returned -1 [0089.158] lstrcmpW (lpString1="..", lpString2="Start Menu") returned -1 [0089.158] lstrcmpiW (lpString1="windows", lpString2="Start Menu") returned 1 [0089.160] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.160] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.160] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Start Menu" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Start Menu") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Start Menu" [0089.160] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Start Menu", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*.*" [0089.160] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.161] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10650388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.161] CloseHandle (hObject=0x30c) returned 1 [0089.161] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.161] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0089.161] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0089.161] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0089.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.164] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.164] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Templates") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Templates" [0089.164] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Templates\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Templates\\*.*" [0089.164] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.164] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106683f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.165] CloseHandle (hObject=0x30c) returned 1 [0089.165] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 1 [0089.165] lstrcmpW (lpString1=".", lpString2="Videos") returned -1 [0089.165] lstrcmpW (lpString1="..", lpString2="Videos") returned -1 [0089.165] lstrcmpiW (lpString1="windows", lpString2="Videos") returned 1 [0089.167] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*" [0089.167] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\*.*") returned 29 [0089.167] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Videos" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos" [0089.168] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0089.168] GlobalMemoryStatus (in: lpBuffer=0x4a7fd08 | out: lpBuffer=0x4a7fd08) [0089.168] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10680458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0089.169] CloseHandle (hObject=0x30c) returned 1 [0089.169] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x4a7fd28 | out: lpFindFileData=0x4a7fd28) returned 0 [0089.169] FindClose (in: hFindFile=0x5c8b90 | out: hFindFile=0x5c8b90) returned 1 Thread: id = 90 os_tid = 0x334 [0088.399] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\*.*", lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 0x5c8bd0 [0088.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.399] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0088.408] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.408] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0088.408] lstrcmpW (lpString1=".", lpString2="AppData") returned -1 [0088.408] lstrcmpW (lpString1="..", lpString2="AppData") returned -1 [0088.408] lstrcmpiW (lpString1="windows", lpString2="AppData") returned 1 [0089.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.208] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="AppData" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData") returned="\\\\?\\C:\\Users\\Default\\AppData" [0089.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*.*" [0089.208] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.208] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c48180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.209] CloseHandle (hObject=0x304) returned 1 [0089.209] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.209] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0089.209] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0089.209] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0089.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.209] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.209] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data") returned="\\\\?\\C:\\Users\\Default\\Application Data" [0089.209] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\Default\\Application Data\\*.*" [0089.209] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8c89290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.210] CloseHandle (hObject=0x304) returned 1 [0089.210] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.210] lstrcmpW (lpString1=".", lpString2="Cookies") returned -1 [0089.210] lstrcmpW (lpString1="..", lpString2="Cookies") returned -1 [0089.210] lstrcmpiW (lpString1="windows", lpString2="Cookies") returned 1 [0089.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.211] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.211] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Cookies" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies") returned="\\\\?\\C:\\Users\\Default\\Cookies" [0089.211] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Cookies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies\\*.*") returned="\\\\?\\C:\\Users\\Default\\Cookies\\*.*" [0089.211] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a202b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.211] CloseHandle (hObject=0x304) returned 1 [0089.211] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.211] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0089.211] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0089.212] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0089.212] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.212] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.212] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop") returned="\\\\?\\C:\\Users\\Default\\Desktop" [0089.212] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Default\\Desktop\\*.*" [0089.212] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.212] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a58390, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.213] CloseHandle (hObject=0x304) returned 1 [0089.213] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.213] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0089.213] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0089.213] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0089.215] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.215] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents") returned="\\\\?\\C:\\Users\\Default\\Documents" [0089.216] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0089.216] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.216] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106984c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.217] CloseHandle (hObject=0x304) returned 1 [0089.217] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.217] lstrcmpW (lpString1=".", lpString2="Downloads") returned -1 [0089.217] lstrcmpW (lpString1="..", lpString2="Downloads") returned -1 [0089.217] lstrcmpiW (lpString1="windows", lpString2="Downloads") returned 1 [0089.220] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.220] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Downloads" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads") returned="\\\\?\\C:\\Users\\Default\\Downloads" [0089.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Downloads", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Default\\Downloads\\*.*" [0089.220] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106b0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.221] CloseHandle (hObject=0x304) returned 1 [0089.221] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.221] lstrcmpW (lpString1=".", lpString2="Favorites") returned -1 [0089.221] lstrcmpW (lpString1="..", lpString2="Favorites") returned -1 [0089.221] lstrcmpiW (lpString1="windows", lpString2="Favorites") returned 1 [0089.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.224] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Favorites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites") returned="\\\\?\\C:\\Users\\Default\\Favorites" [0089.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" [0089.224] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106c8590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.225] CloseHandle (hObject=0x304) returned 1 [0089.225] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.225] lstrcmpW (lpString1=".", lpString2="Links") returned -1 [0089.225] lstrcmpW (lpString1="..", lpString2="Links") returned -1 [0089.225] lstrcmpiW (lpString1="windows", lpString2="Links") returned 1 [0089.227] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.227] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.227] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Links" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links") returned="\\\\?\\C:\\Users\\Default\\Links" [0089.227] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0089.227] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.228] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106e05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.228] CloseHandle (hObject=0x304) returned 1 [0089.228] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.229] lstrcmpW (lpString1=".", lpString2="Local Settings") returned -1 [0089.229] lstrcmpW (lpString1="..", lpString2="Local Settings") returned -1 [0089.229] lstrcmpiW (lpString1="windows", lpString2="Local Settings") returned 1 [0089.231] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.231] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.231] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Local Settings" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings") returned="\\\\?\\C:\\Users\\Default\\Local Settings" [0089.231] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings\\*.*") returned="\\\\?\\C:\\Users\\Default\\Local Settings\\*.*" [0089.231] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106f8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.232] CloseHandle (hObject=0x304) returned 1 [0089.233] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.233] lstrcmpW (lpString1=".", lpString2="Music") returned -1 [0089.233] lstrcmpW (lpString1="..", lpString2="Music") returned -1 [0089.233] lstrcmpiW (lpString1="windows", lpString2="Music") returned 1 [0089.235] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.235] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.235] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music") returned="\\\\?\\C:\\Users\\Default\\Music" [0089.235] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\*.*") returned="\\\\?\\C:\\Users\\Default\\Music\\*.*" [0089.235] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x107106c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.236] CloseHandle (hObject=0x304) returned 1 [0089.236] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.236] lstrcmpW (lpString1=".", lpString2="My Documents") returned -1 [0089.236] lstrcmpW (lpString1="..", lpString2="My Documents") returned -1 [0089.236] lstrcmpiW (lpString1="windows", lpString2="My Documents") returned 1 [0089.239] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.239] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.239] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="My Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents") returned="\\\\?\\C:\\Users\\Default\\My Documents" [0089.239] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\My Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\My Documents\\*.*" [0089.239] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.239] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10728730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.240] CloseHandle (hObject=0x304) returned 1 [0089.240] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.240] lstrcmpW (lpString1=".", lpString2="NetHood") returned -1 [0089.240] lstrcmpW (lpString1="..", lpString2="NetHood") returned -1 [0089.240] lstrcmpiW (lpString1="windows", lpString2="NetHood") returned 1 [0089.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.242] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="NetHood" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood") returned="\\\\?\\C:\\Users\\Default\\NetHood" [0089.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NetHood", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood\\*.*") returned="\\\\?\\C:\\Users\\Default\\NetHood\\*.*" [0089.242] GlobalMemoryStatus (in: lpBuffer=0x4bbfd08 | out: lpBuffer=0x4bbfd08) [0089.242] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10740798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.243] CloseHandle (hObject=0x304) returned 1 [0089.243] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0089.243] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.243] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.243] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta" [0089.243] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta" (normalized: "c:\\users\\default\\how to restore files.hta")) returned 0xffffffff [0089.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta" (normalized: "c:\\users\\default\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0089.244] WriteFile (in: hFile=0x304, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4bbfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4bbfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.245] CloseHandle (hObject=0x304) returned 1 [0089.245] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.246] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NTUSER.DAT") returned -1 [0089.246] lstrlenW (lpString="NTUSER.DAT") returned 10 [0089.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0089.246] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0089.246] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" [0089.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" [0089.246] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS" [0089.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat id-br3n0g72wub8cejt.lyas")) returned 1 [0089.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0089.312] CreateFileMappingA (hFile=0x348, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x324 [0089.312] CryptAcquireContextA (in: phProv=0x4bbfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4bbfce4*=0x5d18b0) returned 1 [0089.312] CryptGenKey (in: hProv=0x5d18b0, Algid=0x6610, dwFlags=0x1, phKey=0x4bbfce0 | out: phKey=0x4bbfce0*=0x5c8c90) returned 1 [0089.312] CryptExportKey (in: hKey=0x5c8c90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4bbfbdc, pdwDataLen=0x4bbfcdc | out: pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcdc*=0x2c) returned 1 [0089.312] MapViewOfFile (hFileMappingObject=0x324, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x40000) returned 0x12960000 [0089.357] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcf0*=0x100) returned 1 [0089.358] CryptEncrypt (in: hKey=0x5c8c90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x12960000, pdwDataLen=0x4bbfcdc*=0x40000, dwBufLen=0x40000 | out: pbData=0x12960000*, pdwDataLen=0x4bbfcdc*=0x40000) returned 1 [0090.963] UnmapViewOfFile (lpBaseAddress=0x12960000) returned 1 [0090.969] CloseHandle (hObject=0x324) returned 1 [0090.969] CryptDestroyKey (hKey=0x5c8c90) returned 1 [0091.137] CryptReleaseContext (hProv=0x5d18b0, dwFlags=0x0) returned 1 [0091.137] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.137] WriteFile (in: hFile=0x348, lpBuffer=0x4bbfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4bbfcf0, lpOverlapped=0x0 | out: lpBuffer=0x4bbfbdc*, lpNumberOfBytesWritten=0x4bbfcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.151] WriteFile (in: hFile=0x348, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4bbfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x4bbfcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.151] CloseHandle (hObject=0x348) returned 1 [0091.157] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.158] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0091.158] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0091.158] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0091.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta" [0091.158] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta" (normalized: "c:\\users\\default\\how to restore files.hta")) returned 0x1 [0091.158] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NTUSER.DAT.LOG1") returned -1 [0091.158] lstrlenW (lpString="NTUSER.DAT.LOG1") returned 15 [0091.158] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0091.158] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0091.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG1" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" [0091.158] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" [0091.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1 id-Br3n0G72wUb8CejT.LyaS" [0091.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat.log1 id-br3n0g72wub8cejt.lyas")) returned 1 [0091.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat.log1 id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0091.159] CreateFileMappingA (hFile=0x348, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x368 [0091.159] CryptAcquireContextA (in: phProv=0x4bbfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4bbfce4*=0x5d1030) returned 1 [0091.160] CryptGenKey (in: hProv=0x5d1030, Algid=0x6610, dwFlags=0x1, phKey=0x4bbfce0 | out: phKey=0x4bbfce0*=0x5c8a90) returned 1 [0091.160] CryptExportKey (in: hKey=0x5c8a90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4bbfbdc, pdwDataLen=0x4bbfcdc | out: pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcdc*=0x2c) returned 1 [0091.160] MapViewOfFile (hFileMappingObject=0x368, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6000) returned 0x31f0000 [0093.227] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcf0*=0x100) returned 1 [0093.228] CryptEncrypt (in: hKey=0x5c8a90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31f0000, pdwDataLen=0x4bbfcdc*=0x6000, dwBufLen=0x6000 | out: pbData=0x31f0000*, pdwDataLen=0x4bbfcdc*=0x6000) returned 1 [0094.177] UnmapViewOfFile (lpBaseAddress=0x31f0000) returned 1 [0094.177] CloseHandle (hObject=0x368) returned 1 [0094.177] CryptDestroyKey (hKey=0x5c8a90) returned 1 [0094.177] CryptReleaseContext (hProv=0x5d1030, dwFlags=0x0) returned 1 [0094.177] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.177] WriteFile (in: hFile=0x348, lpBuffer=0x4bbfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4bbfcf0, lpOverlapped=0x0 | out: lpBuffer=0x4bbfbdc*, lpNumberOfBytesWritten=0x4bbfcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.427] WriteFile (in: hFile=0x348, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4bbfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x4bbfcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.427] CloseHandle (hObject=0x348) returned 1 [0094.434] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1 id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.507] FindNextFileW (in: hFindFile=0x5c8bd0, lpFindFileData=0x4bbfd28 | out: lpFindFileData=0x4bbfd28) returned 1 [0095.349] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0095.349] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0095.349] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta" [0095.349] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\How To Restore Files.hta" (normalized: "c:\\users\\default\\how to restore files.hta")) returned 0x1 [0095.349] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NTUSER.DAT.LOG2") returned -1 [0095.349] lstrlenW (lpString="NTUSER.DAT.LOG2") returned 15 [0095.350] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0095.350] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0095.350] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG2" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" [0095.350] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" [0095.350] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2 id-Br3n0G72wUb8CejT.LyaS" [0095.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat.log2 id-br3n0g72wub8cejt.lyas")) returned 1 [0095.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\default\\ntuser.dat.log2 id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0095.397] CreateFileMappingA (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x30c [0095.397] CryptAcquireContextA (in: phProv=0x4bbfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4bbfce4*=0x1083d058) returned 1 [0095.398] CryptGenKey (in: hProv=0x1083d058, Algid=0x6610, dwFlags=0x1, phKey=0x4bbfce0 | out: phKey=0x4bbfce0*=0x5c8a90) returned 1 [0095.398] CryptExportKey (in: hKey=0x5c8a90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4bbfbdc, pdwDataLen=0x4bbfcdc | out: pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcdc*=0x2c) returned 1 [0095.398] MapViewOfFile (hFileMappingObject=0x30c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e000) returned 0x28b00000 [0095.483] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x4bbfbdc*, pdwDataLen=0x4bbfcf0*=0x100) returned 1 [0095.483] CryptEncrypt (hKey=0x5c8a90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28b00000, pdwDataLen=0x4bbfcdc*=0x7e000, dwBufLen=0x7e000) Thread: id = 91 os_tid = 0x434 [0088.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*.*", lpFindFileData=0x4cffd28 | out: lpFindFileData=0x4cffd28) returned 0xffffffff Thread: id = 92 os_tid = 0x70c [0088.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*", lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 0x5c8c10 [0088.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.400] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0088.400] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.400] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0088.400] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0088.400] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0088.400] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0089.170] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.170] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.170] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US" [0089.171] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0089.171] GlobalMemoryStatus (in: lpBuffer=0x4e3fd08 | out: lpBuffer=0x4e3fd08) [0089.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e30008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0089.171] CloseHandle (hObject=0x308) returned 1 [0089.172] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.172] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.172] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.172] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" [0089.172] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\how to restore files.hta")) returned 0xffffffff [0089.172] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0089.172] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4e3fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4e3fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.173] CloseHandle (hObject=0x308) returned 1 [0089.173] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.174] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hmmapi.dll") returned 1 [0089.174] lstrlenW (lpString="hmmapi.dll") returned 10 [0089.174] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.174] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.174] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="hmmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" [0089.174] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" [0089.174] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll id-Br3n0G72wUb8CejT.LyaS" [0089.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.176] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.176] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.176] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.176] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" [0089.176] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\how to restore files.hta")) returned 0x1 [0089.176] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="iediagcmd.exe") returned -1 [0089.176] lstrlenW (lpString="iediagcmd.exe") returned 13 [0089.177] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.177] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="iediagcmd.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe" [0089.177] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe" [0089.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe id-Br3n0G72wUb8CejT.LyaS" [0089.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe" (normalized: "c:\\program files\\internet explorer\\iediagcmd.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iediagcmd.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\iediagcmd.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0089.177] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.177] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.177] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" [0089.177] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\how to restore files.hta")) returned 0x1 [0089.177] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ieinstal.exe") returned -1 [0089.177] lstrlenW (lpString="ieinstal.exe") returned 12 [0089.177] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.177] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="ieinstal.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" [0089.177] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" [0089.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe id-Br3n0G72wUb8CejT.LyaS" [0089.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0089.178] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.178] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" [0089.178] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\how to restore files.hta")) returned 0x1 [0089.178] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ielowutil.exe") returned -1 [0089.178] lstrlenW (lpString="ielowutil.exe") returned 13 [0089.178] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="ielowutil.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" [0089.178] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" [0089.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe id-Br3n0G72wUb8CejT.LyaS" [0089.178] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0089.196] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.196] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.196] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.196] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" [0089.196] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\how to restore files.hta")) returned 0x1 [0089.196] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="IEShims.dll") returned -1 [0089.196] lstrlenW (lpString="IEShims.dll") returned 11 [0089.196] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="IEShims.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" [0089.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" [0089.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll id-Br3n0G72wUb8CejT.LyaS" [0089.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files\\internet explorer\\ieshims.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\ieshims.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.197] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.197] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" [0089.197] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\how to restore files.hta")) returned 0x1 [0089.197] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="iexplore.exe") returned -1 [0089.197] lstrlenW (lpString="iexplore.exe") returned 12 [0089.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="iexplore.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" [0089.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" [0089.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe id-Br3n0G72wUb8CejT.LyaS" [0089.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\iexplore.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0089.198] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.198] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0089.198] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0089.198] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0089.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\images" [0089.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*" [0089.198] GlobalMemoryStatus (in: lpBuffer=0x4e3fd08 | out: lpBuffer=0x4e3fd08) [0089.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a984c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.199] CloseHandle (hObject=0x344) returned 1 [0089.199] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.199] lstrcmpW (lpString1=".", lpString2="SIGNUP") returned -1 [0089.199] lstrcmpW (lpString1="..", lpString2="SIGNUP") returned -1 [0089.199] lstrcmpiW (lpString1="windows", lpString2="SIGNUP") returned 1 [0089.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="SIGNUP" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP" [0089.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" [0089.200] GlobalMemoryStatus (in: lpBuffer=0x4e3fd08 | out: lpBuffer=0x4e3fd08) [0089.200] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c00048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.201] CloseHandle (hObject=0x344) returned 1 [0089.201] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 1 [0089.201] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.201] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" [0089.201] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\how to restore files.hta")) returned 0x1 [0089.201] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqmapi.dll") returned -1 [0089.201] lstrlenW (lpString="sqmapi.dll") returned 10 [0089.201] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0089.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0089.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" [0089.202] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" [0089.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" [0089.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.207] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x4e3fd28 | out: lpFindFileData=0x4e3fd28) returned 0 [0089.208] FindClose (in: hFindFile=0x5c8c10 | out: hFindFile=0x5c8c10) returned 1 Thread: id = 93 os_tid = 0x418 [0088.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Java\\*.*", lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 0x5c8510 [0088.405] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.405] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 1 [0088.405] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.405] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.405] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 1 [0088.405] lstrcmpW (lpString1=".", lpString2="jre1.8.0_131") returned -1 [0088.405] lstrcmpW (lpString1="..", lpString2="jre1.8.0_131") returned -1 [0088.405] lstrcmpiW (lpString1="windows", lpString2="jre1.8.0_131") returned 1 [0089.183] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\*.*" [0089.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\*.*") returned 29 [0089.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\", lpString2="jre1.8.0_131" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131" [0089.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0089.184] GlobalMemoryStatus (in: lpBuffer=0x55cfd08 | out: lpBuffer=0x55cfd08) [0089.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3dc0258, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x348 [0089.184] CloseHandle (hObject=0x348) returned 1 [0089.184] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x55cfd28 | out: lpFindFileData=0x55cfd28) returned 0 [0089.185] FindClose (in: hFindFile=0x5c8510 | out: hFindFile=0x5c8510) returned 1 Thread: id = 94 os_tid = 0x718 [0088.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*", lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 0x5c8550 [0088.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.407] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0088.407] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.407] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.407] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0089.185] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0089.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0089.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\How To Restore Files.hta" [0089.185] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\how to restore files.hta")) returned 0xffffffff [0089.186] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0089.187] WriteFile (in: hFile=0x2ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x570fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x570fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.188] CloseHandle (hObject=0x2ec) returned 1 [0089.188] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.189] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppXManifest.xml") returned 1 [0089.189] lstrlenW (lpString="AppXManifest.xml") returned 16 [0089.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0089.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0089.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="AppXManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml" [0089.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml" [0089.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0089.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 1 [0089.190] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0089.190] CreateFileMappingA (hFile=0x2ec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x348 [0089.190] CryptAcquireContextA (in: phProv=0x570fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x570fce4*=0x5d0d88) returned 1 [0089.191] CryptGenKey (in: hProv=0x5d0d88, Algid=0x6610, dwFlags=0x1, phKey=0x570fce0 | out: phKey=0x570fce0*=0x5c8a50) returned 1 [0089.191] CryptExportKey (in: hKey=0x5c8a50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x570fbdc, pdwDataLen=0x570fcdc | out: pbData=0x570fbdc*, pdwDataLen=0x570fcdc*=0x2c) returned 1 [0089.191] MapViewOfFile (hFileMappingObject=0x348, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x12960000 [0089.202] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x570fbdc*, pdwDataLen=0x570fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x570fbdc*, pdwDataLen=0x570fcf0*=0x100) returned 1 [0089.203] CryptEncrypt (in: hKey=0x5c8a50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x12960000, pdwDataLen=0x570fcdc*=0x100000, dwBufLen=0x100000 | out: pbData=0x12960000*, pdwDataLen=0x570fcdc*=0x100000) returned 1 [0089.297] UnmapViewOfFile (lpBaseAddress=0x12960000) returned 1 [0089.306] CloseHandle (hObject=0x348) returned 1 [0089.306] CryptDestroyKey (hKey=0x5c8a50) returned 1 [0089.306] CryptReleaseContext (hProv=0x5d0d88, dwFlags=0x0) returned 1 [0089.306] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.307] WriteFile (in: hFile=0x2ec, lpBuffer=0x570fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x570fcf0, lpOverlapped=0x0 | out: lpBuffer=0x570fbdc*, lpNumberOfBytesWritten=0x570fcf0*=0x100, lpOverlapped=0x0) returned 1 [0089.308] WriteFile (in: hFile=0x2ec, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x570fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x570fcf0*=0x500, lpOverlapped=0x0) returned 1 [0089.308] CloseHandle (hObject=0x2ec) returned 1 [0090.298] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\AppXManifest.xml id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.299] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0090.299] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0090.299] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0090.299] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\How To Restore Files.hta" [0090.299] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\how to restore files.hta")) returned 0x1 [0090.299] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="FileSystemMetadata.xml") returned 1 [0090.299] lstrlenW (lpString="FileSystemMetadata.xml") returned 22 [0090.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0090.299] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0090.299] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="FileSystemMetadata.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" [0090.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" [0090.299] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml id-Br3n0G72wUb8CejT.LyaS" [0090.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml id-br3n0g72wub8cejt.lyas")) returned 1 [0090.413] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0090.414] CreateFileMappingA (hFile=0x314, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x34c [0090.414] CryptAcquireContextA (in: phProv=0x570fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x570fce4*=0x5d0e10) returned 1 [0090.414] CryptGenKey (in: hProv=0x5d0e10, Algid=0x6610, dwFlags=0x1, phKey=0x570fce0 | out: phKey=0x570fce0*=0x5c8c10) returned 1 [0090.414] CryptExportKey (in: hKey=0x5c8c10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x570fbdc, pdwDataLen=0x570fcdc | out: pbData=0x570fbdc*, pdwDataLen=0x570fcdc*=0x2c) returned 1 [0090.414] MapViewOfFile (hFileMappingObject=0x34c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x30c0000 [0090.422] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x570fbdc*, pdwDataLen=0x570fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x570fbdc*, pdwDataLen=0x570fcf0*=0x100) returned 1 [0090.422] CryptEncrypt (in: hKey=0x5c8c10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30c0000*, pdwDataLen=0x570fcdc*=0x100, dwBufLen=0x100 | out: pbData=0x30c0000*, pdwDataLen=0x570fcdc*=0x100) returned 1 [0090.422] UnmapViewOfFile (lpBaseAddress=0x30c0000) returned 1 [0090.422] CloseHandle (hObject=0x34c) returned 1 [0090.422] CryptDestroyKey (hKey=0x5c8c10) returned 1 [0090.422] CryptReleaseContext (hProv=0x5d0e10, dwFlags=0x0) returned 1 [0090.422] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.423] WriteFile (in: hFile=0x314, lpBuffer=0x570fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x570fcf0, lpOverlapped=0x0 | out: lpBuffer=0x570fbdc*, lpNumberOfBytesWritten=0x570fcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.977] WriteFile (in: hFile=0x314, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x570fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x570fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.977] CloseHandle (hObject=0x314) returned 1 [0090.983] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.081] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0091.081] lstrcmpW (lpString1=".", lpString2="Office16") returned -1 [0091.081] lstrcmpW (lpString1="..", lpString2="Office16") returned -1 [0091.081] lstrcmpiW (lpString1="windows", lpString2="Office16") returned 1 [0091.081] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0091.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0091.081] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="Office16" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16" [0091.081] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\*.*" [0091.081] GlobalMemoryStatus (in: lpBuffer=0x570fd08 | out: lpBuffer=0x570fd08) [0091.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ea8210, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x22c [0091.082] CloseHandle (hObject=0x22c) returned 1 [0091.082] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0091.082] lstrcmpW (lpString1=".", lpString2="PackageManifests") returned -1 [0091.082] lstrcmpW (lpString1="..", lpString2="PackageManifests") returned -1 [0091.082] lstrcmpiW (lpString1="windows", lpString2="PackageManifests") returned 1 [0091.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0091.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0091.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="PackageManifests" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests" [0091.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\*.*" [0091.085] GlobalMemoryStatus (in: lpBuffer=0x570fd08 | out: lpBuffer=0x570fd08) [0091.086] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11106d48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x22c [0091.086] CloseHandle (hObject=0x22c) returned 1 [0091.086] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0091.086] lstrcmpW (lpString1=".", lpString2="root") returned -1 [0091.086] lstrcmpW (lpString1="..", lpString2="root") returned -1 [0091.086] lstrcmpiW (lpString1="windows", lpString2="root") returned 1 [0091.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0091.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0091.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="root" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root" [0091.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0091.089] GlobalMemoryStatus (in: lpBuffer=0x570fd08 | out: lpBuffer=0x570fd08) [0091.090] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1111edb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x22c [0091.090] CloseHandle (hObject=0x22c) returned 1 [0091.090] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0091.090] lstrcmpW (lpString1=".", lpString2="Updates") returned -1 [0091.090] lstrcmpW (lpString1="..", lpString2="Updates") returned -1 [0091.090] lstrcmpiW (lpString1="windows", lpString2="Updates") returned 1 [0091.095] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0091.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0091.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="Updates" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates" [0091.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*" [0091.095] GlobalMemoryStatus (in: lpBuffer=0x570fd08 | out: lpBuffer=0x570fd08) [0091.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11136e18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x22c [0091.096] CloseHandle (hObject=0x22c) returned 1 [0091.096] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 0 [0091.096] FindClose (in: hFindFile=0x5c8550 | out: hFindFile=0x5c8550) returned 1 Thread: id = 95 os_tid = 0x838 [0088.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*", lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 0x5c85d0 [0088.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.407] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 1 [0088.407] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.407] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.407] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 1 [0089.203] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*" [0089.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*") returned 44 [0089.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\How To Restore Files.hta" [0089.203] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office 15\\how to restore files.hta")) returned 0xffffffff [0089.203] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office 15\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0089.251] WriteFile (in: hFile=0x304, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x598fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x598fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.252] CloseHandle (hObject=0x304) returned 1 [0089.252] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.252] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="charity.exe") returned 1 [0089.252] lstrlenW (lpString="charity.exe") returned 11 [0089.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*" [0089.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*") returned 44 [0089.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\", lpString2="charity.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe" [0089.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe" [0089.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe id-Br3n0G72wUb8CejT.LyaS" [0089.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe" (normalized: "c:\\program files\\microsoft office 15\\charity.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office 15\\charity.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0089.253] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office 15\\charity.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0089.254] CreateFileMappingA (hFile=0x304, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2f0 [0089.254] CryptAcquireContextA (in: phProv=0x598fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x598fce4*=0x5d13e8) returned 1 [0089.254] CryptGenKey (in: hProv=0x5d13e8, Algid=0x6610, dwFlags=0x1, phKey=0x598fce0 | out: phKey=0x598fce0*=0x5c8750) returned 1 [0089.255] CryptExportKey (in: hKey=0x5c8750, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x598fbdc, pdwDataLen=0x598fcdc | out: pbData=0x598fbdc*, pdwDataLen=0x598fcdc*=0x2c) returned 1 [0089.255] MapViewOfFile (hFileMappingObject=0x2f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0089.278] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x598fbdc*, pdwDataLen=0x598fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x598fbdc*, pdwDataLen=0x598fcf0*=0x100) returned 1 [0089.278] CryptEncrypt (in: hKey=0x5c8750, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x598fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x598fcdc*=0x12600) returned 1 [0089.279] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0089.280] CloseHandle (hObject=0x2f0) returned 1 [0089.280] CryptDestroyKey (hKey=0x5c8750) returned 1 [0089.280] CryptReleaseContext (hProv=0x5d13e8, dwFlags=0x0) returned 1 [0089.280] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.280] WriteFile (in: hFile=0x304, lpBuffer=0x598fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x598fcf0, lpOverlapped=0x0 | out: lpBuffer=0x598fbdc*, lpNumberOfBytesWritten=0x598fcf0*=0x100, lpOverlapped=0x0) returned 1 [0089.281] WriteFile (in: hFile=0x304, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x598fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x598fcf0*=0x500, lpOverlapped=0x0) returned 1 [0089.281] CloseHandle (hObject=0x304) returned 1 [0089.284] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\charity.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0089.284] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 1 [0089.284] lstrcmpW (lpString1=".", lpString2="ClientX64") returned -1 [0089.284] lstrcmpW (lpString1="..", lpString2="ClientX64") returned -1 [0089.284] lstrcmpiW (lpString1="windows", lpString2="ClientX64") returned 1 [0089.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*" [0089.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office 15\\*.*") returned 44 [0089.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\", lpString2="ClientX64" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64" [0089.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*" [0089.287] GlobalMemoryStatus (in: lpBuffer=0x598fd08 | out: lpBuffer=0x598fd08) [0089.287] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10758800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.288] CloseHandle (hObject=0x304) returned 1 [0089.288] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0x598fd28 | out: lpFindFileData=0x598fd28) returned 0 [0089.288] FindClose (in: hFindFile=0x5c85d0 | out: hFindFile=0x5c85d0) returned 1 Thread: id = 96 os_tid = 0xac4 [0088.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\*.*", lpFindFileData=0x5ecfd28 | out: lpFindFileData=0x5ecfd28) returned 0x5c8750 [0088.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.408] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x5ecfd28 | out: lpFindFileData=0x5ecfd28) returned 1 [0089.205] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.205] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x5ecfd28 | out: lpFindFileData=0x5ecfd28) returned 1 [0089.205] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0089.205] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0089.205] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0089.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\*.*" [0089.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\*.*") returned 32 [0089.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft" [0089.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*" [0089.205] GlobalMemoryStatus (in: lpBuffer=0x5ecfd08 | out: lpBuffer=0x5ecfd08) [0089.205] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3df0328, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.206] CloseHandle (hObject=0x344) returned 1 [0089.206] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x5ecfd28 | out: lpFindFileData=0x5ecfd28) returned 0 [0089.206] FindClose (in: hFindFile=0x5c8750 | out: hFindFile=0x5c8750) returned 1 Thread: id = 97 os_tid = 0x8cc [0088.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*", lpFindFileData=0x600fd28 | out: lpFindFileData=0x600fd28) returned 0x5c87d0 [0088.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.408] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x600fd28 | out: lpFindFileData=0x600fd28) returned 1 [0089.361] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.361] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.361] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x600fd28 | out: lpFindFileData=0x600fd28) returned 1 [0089.361] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" [0089.361] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned 45 [0089.361] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\How To Restore Files.hta" [0089.361] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\How To Restore Files.hta" (normalized: "c:\\program files\\reference assemblies\\how to restore files.hta")) returned 0xffffffff [0089.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\How To Restore Files.hta" (normalized: "c:\\program files\\reference assemblies\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0089.366] WriteFile (in: hFile=0x304, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x600fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x600fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.367] CloseHandle (hObject=0x304) returned 1 [0089.367] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.368] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="commands.exe") returned 1 [0089.368] lstrlenW (lpString="commands.exe") returned 12 [0089.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" [0089.368] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned 45 [0089.368] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\", lpString2="commands.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe" [0089.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe" [0089.368] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe id-Br3n0G72wUb8CejT.LyaS" [0089.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe" (normalized: "c:\\program files\\reference assemblies\\commands.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\reference assemblies\\commands.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0089.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\reference assemblies\\commands.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0089.369] CreateFileMappingA (hFile=0x304, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2f0 [0089.369] CryptAcquireContextA (in: phProv=0x600fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x600fce4*=0x5d1580) returned 1 [0089.369] CryptGenKey (in: hProv=0x5d1580, Algid=0x6610, dwFlags=0x1, phKey=0x600fce0 | out: phKey=0x600fce0*=0x5c84d0) returned 1 [0089.369] CryptExportKey (in: hKey=0x5c84d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x600fbdc, pdwDataLen=0x600fcdc | out: pbData=0x600fbdc*, pdwDataLen=0x600fcdc*=0x2c) returned 1 [0089.369] MapViewOfFile (hFileMappingObject=0x2f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0089.375] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x600fbdc*, pdwDataLen=0x600fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x600fbdc*, pdwDataLen=0x600fcf0*=0x100) returned 1 [0089.375] CryptEncrypt (in: hKey=0x5c84d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x600fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x600fcdc*=0x12600) returned 1 [0089.376] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0089.376] CloseHandle (hObject=0x2f0) returned 1 [0089.377] CryptDestroyKey (hKey=0x5c84d0) returned 1 [0089.377] CryptReleaseContext (hProv=0x5d1580, dwFlags=0x0) returned 1 [0089.377] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.377] WriteFile (in: hFile=0x304, lpBuffer=0x600fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x600fcf0, lpOverlapped=0x0 | out: lpBuffer=0x600fbdc*, lpNumberOfBytesWritten=0x600fcf0*=0x100, lpOverlapped=0x0) returned 1 [0089.378] WriteFile (in: hFile=0x304, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x600fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x600fcf0*=0x500, lpOverlapped=0x0) returned 1 [0089.378] CloseHandle (hObject=0x304) returned 1 [0089.382] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\commands.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0089.383] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x600fd28 | out: lpFindFileData=0x600fd28) returned 1 [0089.383] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0089.383] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0089.383] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0089.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" [0089.383] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned 45 [0089.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft" [0089.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*" [0089.383] GlobalMemoryStatus (in: lpBuffer=0x600fd08 | out: lpBuffer=0x600fd08) [0089.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c30118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.384] CloseHandle (hObject=0x304) returned 1 [0089.384] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x600fd28 | out: lpFindFileData=0x600fd28) returned 0 [0089.384] FindClose (in: hFindFile=0x5c87d0 | out: hFindFile=0x5c87d0) returned 1 Thread: id = 98 os_tid = 0xa84 [0088.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*", lpFindFileData=0x614fd28 | out: lpFindFileData=0x614fd28) returned 0x5c8810 [0088.409] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.409] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x614fd28 | out: lpFindFileData=0x614fd28) returned 1 [0089.387] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.387] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.387] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x614fd28 | out: lpFindFileData=0x614fd28) returned 1 [0089.387] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" [0089.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned 46 [0089.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\How To Restore Files.hta" [0089.387] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\How To Restore Files.hta" (normalized: "c:\\program files\\uninstall information\\how to restore files.hta")) returned 0xffffffff [0089.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\How To Restore Files.hta" (normalized: "c:\\program files\\uninstall information\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0089.394] WriteFile (in: hFile=0x238, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x614fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x614fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.394] CloseHandle (hObject=0x238) returned 1 [0089.395] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.395] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="just_instant_bulgaria.exe") returned -1 [0089.395] lstrlenW (lpString="just_instant_bulgaria.exe") returned 25 [0089.395] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" [0089.395] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned 46 [0089.395] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\", lpString2="just_instant_bulgaria.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe" [0089.395] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe" [0089.396] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe id-Br3n0G72wUb8CejT.LyaS" [0089.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe" (normalized: "c:\\program files\\uninstall information\\just_instant_bulgaria.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\uninstall information\\just_instant_bulgaria.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0089.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\uninstall information\\just_instant_bulgaria.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0089.397] CreateFileMappingA (hFile=0x238, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x304 [0089.397] CryptAcquireContextA (in: phProv=0x614fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x614fce4*=0x5d1580) returned 1 [0089.397] CryptGenKey (in: hProv=0x5d1580, Algid=0x6610, dwFlags=0x1, phKey=0x614fce0 | out: phKey=0x614fce0*=0x5c84d0) returned 1 [0089.397] CryptExportKey (in: hKey=0x5c84d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x614fbdc, pdwDataLen=0x614fcdc | out: pbData=0x614fbdc*, pdwDataLen=0x614fcdc*=0x2c) returned 1 [0089.397] MapViewOfFile (hFileMappingObject=0x304, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0089.403] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x614fbdc*, pdwDataLen=0x614fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x614fbdc*, pdwDataLen=0x614fcf0*=0x100) returned 1 [0089.403] CryptEncrypt (in: hKey=0x5c84d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x614fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x614fcdc*=0x12600) returned 1 [0089.404] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0089.405] CloseHandle (hObject=0x304) returned 1 [0089.405] CryptDestroyKey (hKey=0x5c84d0) returned 1 [0089.405] CryptReleaseContext (hProv=0x5d1580, dwFlags=0x0) returned 1 [0089.405] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.405] WriteFile (in: hFile=0x238, lpBuffer=0x614fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x614fcf0, lpOverlapped=0x0 | out: lpBuffer=0x614fbdc*, lpNumberOfBytesWritten=0x614fcf0*=0x100, lpOverlapped=0x0) returned 1 [0089.406] WriteFile (in: hFile=0x238, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x614fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x614fcf0*=0x500, lpOverlapped=0x0) returned 1 [0089.406] CloseHandle (hObject=0x238) returned 1 [0089.408] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\just_instant_bulgaria.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0089.409] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x614fd28 | out: lpFindFileData=0x614fd28) returned 1 [0089.409] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" [0089.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned 46 [0089.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\How To Restore Files.hta" [0089.409] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\How To Restore Files.hta" (normalized: "c:\\program files\\uninstall information\\how to restore files.hta")) returned 0x1 [0089.409] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="lined-tex.exe") returned -1 [0089.409] lstrlenW (lpString="lined-tex.exe") returned 13 [0089.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" [0089.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned 46 [0089.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\", lpString2="lined-tex.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe" [0089.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe" [0089.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe id-Br3n0G72wUb8CejT.LyaS" [0089.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe" (normalized: "c:\\program files\\uninstall information\\lined-tex.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\uninstall information\\lined-tex.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0089.411] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\uninstall information\\lined-tex.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0089.411] CreateFileMappingA (hFile=0x238, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x304 [0089.412] CryptAcquireContextA (in: phProv=0x614fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x614fce4*=0x5d1938) returned 1 [0089.412] CryptGenKey (in: hProv=0x5d1938, Algid=0x6610, dwFlags=0x1, phKey=0x614fce0 | out: phKey=0x614fce0*=0x5c8510) returned 1 [0089.412] CryptExportKey (in: hKey=0x5c8510, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x614fbdc, pdwDataLen=0x614fcdc | out: pbData=0x614fbdc*, pdwDataLen=0x614fcdc*=0x2c) returned 1 [0089.412] MapViewOfFile (hFileMappingObject=0x304, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0089.414] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x614fbdc*, pdwDataLen=0x614fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x614fbdc*, pdwDataLen=0x614fcf0*=0x100) returned 1 [0089.414] CryptEncrypt (in: hKey=0x5c8510, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x614fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x614fcdc*=0x12600) returned 1 [0089.414] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0089.415] CloseHandle (hObject=0x304) returned 1 [0089.415] CryptDestroyKey (hKey=0x5c8510) returned 1 [0089.415] CryptReleaseContext (hProv=0x5d1938, dwFlags=0x0) returned 1 [0089.415] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.415] WriteFile (in: hFile=0x238, lpBuffer=0x614fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x614fcf0, lpOverlapped=0x0 | out: lpBuffer=0x614fbdc*, lpNumberOfBytesWritten=0x614fcf0*=0x100, lpOverlapped=0x0) returned 1 [0089.416] WriteFile (in: hFile=0x238, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x614fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x614fcf0*=0x500, lpOverlapped=0x0) returned 1 [0089.416] CloseHandle (hObject=0x238) returned 1 [0089.418] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\lined-tex.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0089.419] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0x614fd28 | out: lpFindFileData=0x614fd28) returned 0 [0089.419] FindClose (in: hFindFile=0x5c8810 | out: hFindFile=0x5c8810) returned 1 Thread: id = 99 os_tid = 0x388 [0088.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\*.*", lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 0x5c8890 [0088.409] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.409] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.424] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.424] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.424] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.424] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.424] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.427] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.427] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.428] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.428] CloseHandle (hObject=0xffffffff) returned 1 [0089.428] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.428] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AmMonitoringInstall.mof") returned 1 [0089.428] lstrlenW (lpString="AmMonitoringInstall.mof") returned 23 [0089.428] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="AmMonitoringInstall.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof" [0089.428] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof" [0089.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof id-Br3n0G72wUb8CejT.LyaS" [0089.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof" (normalized: "c:\\program files\\windows defender\\ammonitoringinstall.mof"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\AmMonitoringInstall.mof id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\ammonitoringinstall.mof id-br3n0g72wub8cejt.lyas")) returned 0 [0089.429] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.429] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.429] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.429] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.429] CloseHandle (hObject=0xffffffff) returned 1 [0089.429] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.429] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AMMonitoringProvider.dll") returned 1 [0089.430] lstrlenW (lpString="AMMonitoringProvider.dll") returned 24 [0089.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.430] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="AMMonitoringProvider.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll" [0089.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll" [0089.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll id-Br3n0G72wUb8CejT.LyaS" [0089.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll" (normalized: "c:\\program files\\windows defender\\ammonitoringprovider.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\AMMonitoringProvider.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\ammonitoringprovider.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.430] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.430] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.430] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.430] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.431] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.431] CloseHandle (hObject=0xffffffff) returned 1 [0089.431] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.431] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AmStatusInstall.mof") returned 1 [0089.431] lstrlenW (lpString="AmStatusInstall.mof") returned 19 [0089.431] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.431] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.431] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="AmStatusInstall.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof" [0089.431] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof" [0089.431] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof id-Br3n0G72wUb8CejT.LyaS" [0089.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof" (normalized: "c:\\program files\\windows defender\\amstatusinstall.mof"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\AmStatusInstall.mof id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\amstatusinstall.mof id-br3n0g72wub8cejt.lyas")) returned 0 [0089.562] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.562] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.562] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.562] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.563] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.563] CloseHandle (hObject=0xffffffff) returned 1 [0089.563] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.563] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ClientWMIInstall.mof") returned 1 [0089.563] lstrlenW (lpString="ClientWMIInstall.mof") returned 20 [0089.563] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.563] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.563] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="ClientWMIInstall.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof" [0089.563] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof" [0089.563] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof id-Br3n0G72wUb8CejT.LyaS" [0089.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof" (normalized: "c:\\program files\\windows defender\\clientwmiinstall.mof"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ClientWMIInstall.mof id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\clientwmiinstall.mof id-br3n0g72wub8cejt.lyas")) returned 0 [0089.564] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.564] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.564] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.564] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.564] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.564] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.564] CloseHandle (hObject=0xffffffff) returned 1 [0089.564] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.564] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ConfigSecurityPolicy.exe") returned 1 [0089.564] lstrlenW (lpString="ConfigSecurityPolicy.exe") returned 24 [0089.564] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.564] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.564] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="ConfigSecurityPolicy.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe" [0089.564] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe" [0089.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe id-Br3n0G72wUb8CejT.LyaS" [0089.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe" (normalized: "c:\\program files\\windows defender\\configsecuritypolicy.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\configsecuritypolicy.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0089.565] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.565] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.565] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.566] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.566] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.566] CloseHandle (hObject=0xffffffff) returned 1 [0089.566] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.566] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DataLayer.dll") returned 1 [0089.566] lstrlenW (lpString="DataLayer.dll") returned 13 [0089.566] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.566] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.566] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="DataLayer.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll" [0089.566] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll" [0089.566] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll id-Br3n0G72wUb8CejT.LyaS" [0089.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll" (normalized: "c:\\program files\\windows defender\\datalayer.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\DataLayer.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\datalayer.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.567] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.567] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.567] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.567] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.567] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.568] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.568] CloseHandle (hObject=0xffffffff) returned 1 [0089.568] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.568] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DbgHelp.dll") returned 1 [0089.568] lstrlenW (lpString="DbgHelp.dll") returned 11 [0089.568] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.568] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.568] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="DbgHelp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll" [0089.568] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll" [0089.568] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll id-Br3n0G72wUb8CejT.LyaS" [0089.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll" (normalized: "c:\\program files\\windows defender\\dbghelp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\DbgHelp.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\dbghelp.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.569] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.569] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.569] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.569] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.569] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.569] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.570] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.570] CloseHandle (hObject=0xffffffff) returned 1 [0089.570] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.570] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DefenderCSP.dll") returned 1 [0089.570] lstrlenW (lpString="DefenderCSP.dll") returned 15 [0089.570] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.570] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.570] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="DefenderCSP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll" [0089.570] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll" [0089.570] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll id-Br3n0G72wUb8CejT.LyaS" [0089.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll" (normalized: "c:\\program files\\windows defender\\defendercsp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\DefenderCSP.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\defendercsp.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.571] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.571] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0089.571] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0089.571] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0089.573] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.573] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.573] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US" [0089.573] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0089.573] GlobalMemoryStatus (in: lpBuffer=0x664fd08 | out: lpBuffer=0x664fd08) [0089.574] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x109e0e60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.574] CloseHandle (hObject=0x344) returned 1 [0089.574] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.574] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.574] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.575] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.575] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.575] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.575] CloseHandle (hObject=0xffffffff) returned 1 [0089.575] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.575] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="EppManifest.dll") returned 1 [0089.575] lstrlenW (lpString="EppManifest.dll") returned 15 [0089.575] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.575] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.575] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="EppManifest.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll" [0089.575] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll" [0089.576] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll id-Br3n0G72wUb8CejT.LyaS" [0089.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll" (normalized: "c:\\program files\\windows defender\\eppmanifest.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\EppManifest.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\eppmanifest.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.576] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.576] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.576] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.576] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.577] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.577] CloseHandle (hObject=0xffffffff) returned 1 [0089.577] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.577] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="FepUnregister.mof") returned 1 [0089.577] lstrlenW (lpString="FepUnregister.mof") returned 17 [0089.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.577] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.577] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="FepUnregister.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof" [0089.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof" [0089.577] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof id-Br3n0G72wUb8CejT.LyaS" [0089.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof" (normalized: "c:\\program files\\windows defender\\fepunregister.mof"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\FepUnregister.mof id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\fepunregister.mof id-br3n0g72wub8cejt.lyas")) returned 0 [0089.578] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.578] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.578] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.578] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.578] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.578] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.578] CloseHandle (hObject=0xffffffff) returned 1 [0089.578] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.579] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpAsDesc.dll") returned -1 [0089.579] lstrlenW (lpString="MpAsDesc.dll") returned 12 [0089.579] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.579] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpAsDesc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" [0089.579] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" [0089.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll id-Br3n0G72wUb8CejT.LyaS" [0089.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" (normalized: "c:\\program files\\windows defender\\mpasdesc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpasdesc.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.579] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.579] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.579] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.579] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.580] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.580] CloseHandle (hObject=0xffffffff) returned 1 [0089.580] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.580] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpClient.dll") returned -1 [0089.580] lstrlenW (lpString="MpClient.dll") returned 12 [0089.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.580] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpClient.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" [0089.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" [0089.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll id-Br3n0G72wUb8CejT.LyaS" [0089.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpclient.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.581] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.581] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.581] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.581] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.581] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.582] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.582] CloseHandle (hObject=0xffffffff) returned 1 [0089.582] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.582] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpCmdRun.exe") returned -1 [0089.582] lstrlenW (lpString="MpCmdRun.exe") returned 12 [0089.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.582] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpCmdRun.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" [0089.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" [0089.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe id-Br3n0G72wUb8CejT.LyaS" [0089.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" (normalized: "c:\\program files\\windows defender\\mpcmdrun.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpcmdrun.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0089.583] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.583] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.583] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.583] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.583] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.583] CloseHandle (hObject=0xffffffff) returned 1 [0089.583] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.583] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpCommu.dll") returned -1 [0089.583] lstrlenW (lpString="MpCommu.dll") returned 11 [0089.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.584] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.584] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpCommu.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" [0089.584] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" [0089.584] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll id-Br3n0G72wUb8CejT.LyaS" [0089.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" (normalized: "c:\\program files\\windows defender\\mpcommu.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpcommu.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.862] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.862] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.862] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.862] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.862] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.863] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.863] CloseHandle (hObject=0xffffffff) returned 1 [0089.863] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.863] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpEvMsg.dll") returned -1 [0089.863] lstrlenW (lpString="MpEvMsg.dll") returned 11 [0089.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.863] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.863] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpEvMsg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" [0089.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" [0089.863] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll id-Br3n0G72wUb8CejT.LyaS" [0089.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" (normalized: "c:\\program files\\windows defender\\mpevmsg.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpevmsg.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.864] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.864] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.864] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.864] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.864] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.864] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.865] CloseHandle (hObject=0xffffffff) returned 1 [0089.865] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.865] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpOAV.dll") returned -1 [0089.865] lstrlenW (lpString="MpOAV.dll") returned 9 [0089.865] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.865] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.865] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpOAV.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" [0089.865] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" [0089.865] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll id-Br3n0G72wUb8CejT.LyaS" [0089.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpoav.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.866] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.866] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.866] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.866] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.866] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.866] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.866] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.866] CloseHandle (hObject=0xffffffff) returned 1 [0089.866] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.867] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpProvider.dll") returned -1 [0089.867] lstrlenW (lpString="MpProvider.dll") returned 14 [0089.867] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.867] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.867] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpProvider.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll" [0089.867] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll" [0089.867] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll id-Br3n0G72wUb8CejT.LyaS" [0089.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll" (normalized: "c:\\program files\\windows defender\\mpprovider.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpProvider.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpprovider.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.868] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.868] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.868] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.868] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.868] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.868] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.868] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.868] CloseHandle (hObject=0xffffffff) returned 1 [0089.868] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.869] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpRtp.dll") returned -1 [0089.869] lstrlenW (lpString="MpRtp.dll") returned 9 [0089.869] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.869] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.869] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpRtp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll" [0089.869] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll" [0089.869] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll id-Br3n0G72wUb8CejT.LyaS" [0089.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll" (normalized: "c:\\program files\\windows defender\\mprtp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpRtp.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mprtp.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.869] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.869] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.870] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.870] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.870] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.870] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.870] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.870] CloseHandle (hObject=0xffffffff) returned 1 [0089.870] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.873] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpSvc.dll") returned -1 [0089.873] lstrlenW (lpString="MpSvc.dll") returned 9 [0089.873] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.873] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.873] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpSvc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" [0089.873] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" [0089.873] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll id-Br3n0G72wUb8CejT.LyaS" [0089.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" (normalized: "c:\\program files\\windows defender\\mpsvc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpsvc.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0089.874] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0089.874] lstrcpyW (in: lpString1=0x5a703f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.874] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.874] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0089.874] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0089.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0089.875] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0089.875] CloseHandle (hObject=0xffffffff) returned 1 [0089.875] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0089.875] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpTpmAtt.dll") returned -1 [0089.875] lstrlenW (lpString="MpTpmAtt.dll") returned 12 [0089.875] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0089.875] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0089.875] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpTpmAtt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll" [0089.876] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll" [0089.876] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll id-Br3n0G72wUb8CejT.LyaS" [0089.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll" (normalized: "c:\\program files\\windows defender\\mptpmatt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpTpmAtt.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mptpmatt.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.185] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.185] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.185] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.185] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.186] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.186] CloseHandle (hObject=0xffffffff) returned 1 [0090.186] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.186] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mpuxhostproxy.dll") returned -1 [0090.186] lstrlenW (lpString="mpuxhostproxy.dll") returned 17 [0090.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="mpuxhostproxy.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll" [0090.187] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll" [0090.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll id-Br3n0G72wUb8CejT.LyaS" [0090.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll" (normalized: "c:\\program files\\windows defender\\mpuxhostproxy.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\mpuxhostproxy.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpuxhostproxy.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.187] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.187] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.188] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.188] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.188] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.188] CloseHandle (hObject=0xffffffff) returned 1 [0090.188] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.188] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpUXSrv.exe") returned -1 [0090.188] lstrlenW (lpString="MpUXSrv.exe") returned 11 [0090.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpUXSrv.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe" [0090.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe" [0090.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe id-Br3n0G72wUb8CejT.LyaS" [0090.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe" (normalized: "c:\\program files\\windows defender\\mpuxsrv.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpUXSrv.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\mpuxsrv.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.189] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.189] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.190] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.190] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.190] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.190] CloseHandle (hObject=0xffffffff) returned 1 [0090.190] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.190] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MSASCui.exe") returned -1 [0090.190] lstrlenW (lpString="MSASCui.exe") returned 11 [0090.191] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.191] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.191] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MSASCui.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" [0090.191] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" [0090.191] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe id-Br3n0G72wUb8CejT.LyaS" [0090.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" (normalized: "c:\\program files\\windows defender\\msascui.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\msascui.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.191] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.191] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.191] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.191] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.192] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.192] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.192] CloseHandle (hObject=0xffffffff) returned 1 [0090.192] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.192] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MsMpCom.dll") returned -1 [0090.192] lstrlenW (lpString="MsMpCom.dll") returned 11 [0090.192] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.193] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.193] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MsMpCom.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" [0090.193] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" [0090.193] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll id-Br3n0G72wUb8CejT.LyaS" [0090.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" (normalized: "c:\\program files\\windows defender\\msmpcom.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\msmpcom.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.193] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.193] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.193] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.194] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.194] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.194] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.194] CloseHandle (hObject=0xffffffff) returned 1 [0090.194] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.195] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MsMpEng.exe") returned -1 [0090.195] lstrlenW (lpString="MsMpEng.exe") returned 11 [0090.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.195] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MsMpEng.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe" [0090.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe" [0090.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe id-Br3n0G72wUb8CejT.LyaS" [0090.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe" (normalized: "c:\\program files\\windows defender\\msmpeng.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpEng.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\msmpeng.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.195] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.196] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.196] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.196] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.196] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.196] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.196] CloseHandle (hObject=0xffffffff) returned 1 [0090.196] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.197] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MsMpLics.dll") returned -1 [0090.197] lstrlenW (lpString="MsMpLics.dll") returned 12 [0090.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MsMpLics.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" [0090.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" [0090.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll id-Br3n0G72wUb8CejT.LyaS" [0090.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\msmplics.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.198] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.198] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.198] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.198] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.198] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.198] CloseHandle (hObject=0xffffffff) returned 1 [0090.198] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.199] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MsMpRes.dll") returned -1 [0090.199] lstrlenW (lpString="MsMpRes.dll") returned 11 [0090.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MsMpRes.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" [0090.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" [0090.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll id-Br3n0G72wUb8CejT.LyaS" [0090.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" (normalized: "c:\\program files\\windows defender\\msmpres.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\msmpres.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.199] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.199] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.200] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.200] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.200] CloseHandle (hObject=0xffffffff) returned 1 [0090.200] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.200] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NisIpsPlugin.dll") returned -1 [0090.200] lstrlenW (lpString="NisIpsPlugin.dll") returned 16 [0090.200] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.200] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="NisIpsPlugin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll" [0090.200] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll" [0090.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll id-Br3n0G72wUb8CejT.LyaS" [0090.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll" (normalized: "c:\\program files\\windows defender\\nisipsplugin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\NisIpsPlugin.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\nisipsplugin.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.301] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.301] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.301] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.301] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.301] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.301] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.301] CloseHandle (hObject=0xffffffff) returned 1 [0090.301] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.301] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NisLog.dll") returned -1 [0090.301] lstrlenW (lpString="NisLog.dll") returned 10 [0090.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.301] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="NisLog.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll" [0090.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll" [0090.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll id-Br3n0G72wUb8CejT.LyaS" [0090.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll" (normalized: "c:\\program files\\windows defender\\nislog.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\NisLog.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\nislog.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.302] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.302] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.302] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.302] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.302] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.302] CloseHandle (hObject=0xffffffff) returned 1 [0090.302] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.303] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NisSrv.exe") returned -1 [0090.303] lstrlenW (lpString="NisSrv.exe") returned 10 [0090.303] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.303] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="NisSrv.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe" [0090.303] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe" [0090.303] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe id-Br3n0G72wUb8CejT.LyaS" [0090.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe" (normalized: "c:\\program files\\windows defender\\nissrv.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\NisSrv.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\nissrv.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.303] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.303] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.303] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.304] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.304] CloseHandle (hObject=0xffffffff) returned 1 [0090.304] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.304] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NisWfp.dll") returned -1 [0090.304] lstrlenW (lpString="NisWfp.dll") returned 10 [0090.304] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.304] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="NisWfp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll" [0090.304] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll" [0090.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll id-Br3n0G72wUb8CejT.LyaS" [0090.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll" (normalized: "c:\\program files\\windows defender\\niswfp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\NisWfp.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\niswfp.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.304] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.304] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.304] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.304] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.304] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.305] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.305] CloseHandle (hObject=0xffffffff) returned 1 [0090.305] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.305] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ProtectionManagement.dll") returned -1 [0090.305] lstrlenW (lpString="ProtectionManagement.dll") returned 24 [0090.305] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.305] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="ProtectionManagement.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll" [0090.305] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll" [0090.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll id-Br3n0G72wUb8CejT.LyaS" [0090.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll" (normalized: "c:\\program files\\windows defender\\protectionmanagement.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\protectionmanagement.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.305] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.305] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.305] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.306] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.306] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.306] CloseHandle (hObject=0xffffffff) returned 1 [0090.306] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.306] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ProtectionManagement.mof") returned -1 [0090.306] lstrlenW (lpString="ProtectionManagement.mof") returned 24 [0090.306] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.306] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.306] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="ProtectionManagement.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof" [0090.306] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof" [0090.306] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof id-Br3n0G72wUb8CejT.LyaS" [0090.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof" (normalized: "c:\\program files\\windows defender\\protectionmanagement.mof"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement.mof id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\protectionmanagement.mof id-br3n0g72wub8cejt.lyas")) returned 0 [0090.307] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.307] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.307] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.307] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.307] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.307] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.307] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.307] CloseHandle (hObject=0xffffffff) returned 1 [0090.307] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.307] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ProtectionManagement_Uninstall.mof") returned -1 [0090.307] lstrlenW (lpString="ProtectionManagement_Uninstall.mof") returned 34 [0090.307] lstrcmpiW (lpString1=".LyaS", lpString2="l.mof") returned -1 [0090.307] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.307] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.307] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="ProtectionManagement_Uninstall.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof" [0090.307] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof" [0090.307] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof id-Br3n0G72wUb8CejT.LyaS" [0090.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof" (normalized: "c:\\program files\\windows defender\\protectionmanagement_uninstall.mof"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\ProtectionManagement_Uninstall.mof id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\protectionmanagement_uninstall.mof id-br3n0g72wub8cejt.lyas")) returned 0 [0090.308] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.308] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.308] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.308] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.308] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.308] CloseHandle (hObject=0xffffffff) returned 1 [0090.308] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.308] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="shellext.dll") returned -1 [0090.309] lstrlenW (lpString="shellext.dll") returned 12 [0090.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="shellext.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll" [0090.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll" [0090.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll id-Br3n0G72wUb8CejT.LyaS" [0090.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll" (normalized: "c:\\program files\\windows defender\\shellext.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\shellext.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\shellext.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.309] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.309] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.309] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.310] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.310] CloseHandle (hObject=0xffffffff) returned 1 [0090.310] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.310] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="SymSrv.dll") returned -1 [0090.310] lstrlenW (lpString="SymSrv.dll") returned 10 [0090.310] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.310] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.310] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="SymSrv.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll" [0090.310] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll" [0090.310] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll id-Br3n0G72wUb8CejT.LyaS" [0090.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll" (normalized: "c:\\program files\\windows defender\\symsrv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\SymSrv.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\symsrv.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.311] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 1 [0090.311] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0090.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0090.311] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" [0090.311] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta")) returned 0xffffffff [0090.311] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.312] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x664fcf0, lpOverlapped=0x0) returned 0 [0090.312] CloseHandle (hObject=0xffffffff) returned 1 [0090.312] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0090.312] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x664fd28 | out: lpFindFileData=0x664fd28) returned 0 [0090.312] FindClose (in: hFindFile=0x5c8890 | out: hFindFile=0x5c8890) returned 1 Thread: id = 100 os_tid = 0x8d0 [0088.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\*.*", lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 0x5c8910 [0088.411] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.411] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0089.436] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.436] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.436] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0089.436] lstrcmpW (lpString1=".", lpString2="AccountPictures") returned -1 [0089.436] lstrcmpW (lpString1="..", lpString2="AccountPictures") returned -1 [0089.436] lstrcmpiW (lpString1="windows", lpString2="AccountPictures") returned 1 [0089.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0089.436] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0089.436] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="AccountPictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures") returned="\\\\?\\C:\\Users\\Public\\AccountPictures" [0089.436] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*" [0089.436] GlobalMemoryStatus (in: lpBuffer=0x4f8fd08 | out: lpBuffer=0x4f8fd08) [0089.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10790870, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.437] CloseHandle (hObject=0x304) returned 1 [0089.437] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0089.437] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0089.437] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0089.437] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0089.440] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0089.440] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0089.440] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop") returned="\\\\?\\C:\\Users\\Public\\Desktop" [0089.440] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" [0089.440] GlobalMemoryStatus (in: lpBuffer=0x4f8fd08 | out: lpBuffer=0x4f8fd08) [0089.440] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x107d0880, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0089.441] CloseHandle (hObject=0x304) returned 1 [0089.441] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0089.441] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0089.441] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0089.441] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\How To Restore Files.hta" [0089.441] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\How To Restore Files.hta" (normalized: "c:\\users\\public\\how to restore files.hta")) returned 0xffffffff [0089.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\How To Restore Files.hta" (normalized: "c:\\users\\public\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0089.442] WriteFile (in: hFile=0x304, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x4f8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4f8fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0089.443] CloseHandle (hObject=0x304) returned 1 [0089.443] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0089.443] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0089.443] lstrlenW (lpString="desktop.ini") returned 11 [0089.443] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0089.443] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0089.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\desktop.ini" [0089.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\desktop.ini" [0089.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0089.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0089.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0089.445] CreateFileMappingA (hFile=0x304, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2f0 [0089.445] CryptAcquireContextA (in: phProv=0x4f8fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4f8fce4*=0x5d1250) returned 1 [0089.445] CryptGenKey (in: hProv=0x5d1250, Algid=0x6610, dwFlags=0x1, phKey=0x4f8fce0 | out: phKey=0x4f8fce0*=0x5c87d0) returned 1 [0089.445] CryptExportKey (in: hKey=0x5c87d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4f8fbdc, pdwDataLen=0x4f8fcdc | out: pbData=0x4f8fbdc*, pdwDataLen=0x4f8fcdc*=0x2c) returned 1 [0089.445] MapViewOfFile (hFileMappingObject=0x2f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x31d0000 [0089.448] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4f8fbdc*, pdwDataLen=0x4f8fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x4f8fbdc*, pdwDataLen=0x4f8fcf0*=0x100) returned 1 [0089.448] CryptEncrypt (in: hKey=0x5c87d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000*, pdwDataLen=0x4f8fcdc*=0xa0, dwBufLen=0xa0 | out: pbData=0x31d0000*, pdwDataLen=0x4f8fcdc*=0xa0) returned 1 [0089.448] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0089.448] CloseHandle (hObject=0x2f0) returned 1 [0089.448] CryptDestroyKey (hKey=0x5c87d0) returned 1 [0089.448] CryptReleaseContext (hProv=0x5d1250, dwFlags=0x0) returned 1 [0089.448] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.448] WriteFile (in: hFile=0x304, lpBuffer=0x4f8fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4f8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x4f8fbdc*, lpNumberOfBytesWritten=0x4f8fcf0*=0x100, lpOverlapped=0x0) returned 1 [0089.449] WriteFile (in: hFile=0x304, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4f8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x4f8fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.008] CloseHandle (hObject=0x304) returned 1 [0090.009] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.010] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0090.010] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0090.010] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0090.010] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0090.012] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0090.012] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0090.013] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents") returned="\\\\?\\C:\\Users\\Public\\Documents" [0090.013] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0090.013] GlobalMemoryStatus (in: lpBuffer=0x4f8fd08 | out: lpBuffer=0x4f8fd08) [0090.013] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10bc1680, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0090.014] CloseHandle (hObject=0x304) returned 1 [0090.014] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0090.014] lstrcmpW (lpString1=".", lpString2="Downloads") returned -1 [0090.014] lstrcmpW (lpString1="..", lpString2="Downloads") returned -1 [0090.014] lstrcmpiW (lpString1="windows", lpString2="Downloads") returned 1 [0090.017] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0090.017] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0090.017] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Downloads" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads") returned="\\\\?\\C:\\Users\\Public\\Downloads" [0090.017] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" [0090.017] GlobalMemoryStatus (in: lpBuffer=0x4f8fd08 | out: lpBuffer=0x4f8fd08) [0090.017] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10bd96e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0090.018] CloseHandle (hObject=0x304) returned 1 [0090.018] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0090.018] lstrcmpW (lpString1=".", lpString2="Libraries") returned -1 [0090.018] lstrcmpW (lpString1="..", lpString2="Libraries") returned -1 [0090.019] lstrcmpiW (lpString1="windows", lpString2="Libraries") returned 1 [0090.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0090.022] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0090.022] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Libraries" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries") returned="\\\\?\\C:\\Users\\Public\\Libraries" [0090.022] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" [0090.022] GlobalMemoryStatus (in: lpBuffer=0x4f8fd08 | out: lpBuffer=0x4f8fd08) [0090.022] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10bf1750, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0090.023] CloseHandle (hObject=0x304) returned 1 [0090.023] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0090.023] lstrcmpW (lpString1=".", lpString2="Music") returned -1 [0090.023] lstrcmpW (lpString1="..", lpString2="Music") returned -1 [0090.023] lstrcmpiW (lpString1="windows", lpString2="Music") returned 1 [0090.026] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0090.026] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0090.026] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music") returned="\\\\?\\C:\\Users\\Public\\Music" [0090.026] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\*.*" [0090.026] GlobalMemoryStatus (in: lpBuffer=0x4f8fd08 | out: lpBuffer=0x4f8fd08) [0090.026] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c097b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0090.027] CloseHandle (hObject=0x304) returned 1 [0090.027] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0090.027] lstrcmpW (lpString1=".", lpString2="Pictures") returned -1 [0090.027] lstrcmpW (lpString1="..", lpString2="Pictures") returned -1 [0090.027] lstrcmpiW (lpString1="windows", lpString2="Pictures") returned 1 [0090.030] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0090.030] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0090.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures") returned="\\\\?\\C:\\Users\\Public\\Pictures" [0090.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" [0090.030] GlobalMemoryStatus (in: lpBuffer=0x4f8fd08 | out: lpBuffer=0x4f8fd08) [0090.030] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c21820, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0090.031] CloseHandle (hObject=0x304) returned 1 [0090.031] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0090.031] lstrcmpW (lpString1=".", lpString2="Videos") returned -1 [0090.031] lstrcmpW (lpString1="..", lpString2="Videos") returned -1 [0090.031] lstrcmpiW (lpString1="windows", lpString2="Videos") returned 1 [0090.034] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0090.034] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0090.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos") returned="\\\\?\\C:\\Users\\Public\\Videos" [0090.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*.*" [0090.034] GlobalMemoryStatus (in: lpBuffer=0x4f8fd08 | out: lpBuffer=0x4f8fd08) [0090.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c39888, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0090.035] CloseHandle (hObject=0x304) returned 1 [0090.035] FindNextFileW (in: hFindFile=0x5c8910, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 0 [0090.035] FindClose (in: hFindFile=0x5c8910 | out: hFindFile=0x5c8910) returned 1 Thread: id = 102 os_tid = 0x87c [0088.411] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\*.*", lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 0x5c8d10 [0088.411] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.411] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0089.459] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.459] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0089.459] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0089.459] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0089.459] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0089.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0089.460] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0089.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US" [0089.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0089.460] GlobalMemoryStatus (in: lpBuffer=0x41bfd08 | out: lpBuffer=0x41bfd08) [0089.460] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x108088f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0089.461] CloseHandle (hObject=0x2f0) returned 1 [0089.461] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0089.461] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0089.461] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0089.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0089.461] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0xffffffff [0089.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0090.005] WriteFile (in: hFile=0x238, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x41bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x41bfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.006] CloseHandle (hObject=0x238) returned 1 [0090.006] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.007] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="InkSeg.dll") returned -1 [0090.007] lstrlenW (lpString="InkSeg.dll") returned 10 [0090.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.007] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.007] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="InkSeg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll" [0090.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll" [0090.007] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll id-Br3n0G72wUb8CejT.LyaS" [0090.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll" (normalized: "c:\\program files\\windows journal\\inkseg.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\inkseg.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.035] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.035] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.035] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.035] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.036] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="JNTFiltr.dll") returned -1 [0090.036] lstrlenW (lpString="JNTFiltr.dll") returned 12 [0090.036] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.036] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.036] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="JNTFiltr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll" [0090.036] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll" [0090.036] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll id-Br3n0G72wUb8CejT.LyaS" [0090.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll" (normalized: "c:\\program files\\windows journal\\jntfiltr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\jntfiltr.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.038] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.038] lstrcpyW (in: lpString1=0x5a38320, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.038] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.038] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.038] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.038] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="JNWDRV.dll") returned -1 [0090.038] lstrlenW (lpString="JNWDRV.dll") returned 10 [0090.038] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.038] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.038] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="JNWDRV.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll" [0090.038] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll" [0090.038] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll id-Br3n0G72wUb8CejT.LyaS" [0090.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll" (normalized: "c:\\program files\\windows journal\\jnwdrv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\jnwdrv.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.097] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.097] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.097] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="jnwdui.dll") returned -1 [0090.097] lstrlenW (lpString="jnwdui.dll") returned 10 [0090.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="jnwdui.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll" [0090.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll" [0090.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll id-Br3n0G72wUb8CejT.LyaS" [0090.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll" (normalized: "c:\\program files\\windows journal\\jnwdui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\jnwdui.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.098] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.098] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.098] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.099] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="jnwmon.dll") returned -1 [0090.099] lstrlenW (lpString="jnwmon.dll") returned 10 [0090.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="jnwmon.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll" [0090.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll" [0090.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll id-Br3n0G72wUb8CejT.LyaS" [0090.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll" (normalized: "c:\\program files\\windows journal\\jnwmon.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\jnwmon.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.100] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.100] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.100] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.100] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="jnwppr.dll") returned -1 [0090.100] lstrlenW (lpString="jnwppr.dll") returned 10 [0090.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="jnwppr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll" [0090.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll" [0090.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll id-Br3n0G72wUb8CejT.LyaS" [0090.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll" (normalized: "c:\\program files\\windows journal\\jnwppr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\jnwppr.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.100] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.100] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.100] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.101] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Journal.exe") returned -1 [0090.101] lstrlenW (lpString="Journal.exe") returned 11 [0090.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Journal.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe" [0090.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe" [0090.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe id-Br3n0G72wUb8CejT.LyaS" [0090.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe" (normalized: "c:\\program files\\windows journal\\journal.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\journal.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.101] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.101] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.101] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.101] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MSPVWCTL.DLL") returned -1 [0090.101] lstrlenW (lpString="MSPVWCTL.DLL") returned 12 [0090.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="MSPVWCTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL") returned="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL" [0090.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL") returned="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL" [0090.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL id-Br3n0G72wUb8CejT.LyaS" [0090.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL" (normalized: "c:\\program files\\windows journal\\mspvwctl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\mspvwctl.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.104] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.104] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.104] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.104] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NBDoc.DLL") returned -1 [0090.104] lstrlenW (lpString="NBDoc.DLL") returned 9 [0090.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="NBDoc.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL" [0090.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL" [0090.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL id-Br3n0G72wUb8CejT.LyaS" [0090.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL" (normalized: "c:\\program files\\windows journal\\nbdoc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\nbdoc.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.106] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.106] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.106] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.106] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NBMapTIP.dll") returned -1 [0090.106] lstrlenW (lpString="NBMapTIP.dll") returned 12 [0090.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="NBMapTIP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" [0090.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" [0090.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll id-Br3n0G72wUb8CejT.LyaS" [0090.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" (normalized: "c:\\program files\\windows journal\\nbmaptip.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\nbmaptip.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.108] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.108] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.108] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.108] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="orders oxide shift.exe") returned -1 [0090.108] lstrlenW (lpString="orders oxide shift.exe") returned 22 [0090.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="orders oxide shift.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe" [0090.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe" [0090.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe id-Br3n0G72wUb8CejT.LyaS" [0090.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe" (normalized: "c:\\program files\\windows journal\\orders oxide shift.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\orders oxide shift.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0090.109] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\orders oxide shift.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0090.110] CreateFileMappingA (hFile=0x28c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x304 [0090.110] CryptAcquireContextA (in: phProv=0x41bfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x41bfce4*=0x5d0d00) returned 1 [0090.110] CryptGenKey (in: hProv=0x5d0d00, Algid=0x6610, dwFlags=0x1, phKey=0x41bfce0 | out: phKey=0x41bfce0*=0x5c9090) returned 1 [0090.110] CryptExportKey (in: hKey=0x5c9090, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x41bfbdc, pdwDataLen=0x41bfcdc | out: pbData=0x41bfbdc*, pdwDataLen=0x41bfcdc*=0x2c) returned 1 [0090.110] MapViewOfFile (hFileMappingObject=0x304, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0090.118] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x41bfbdc*, pdwDataLen=0x41bfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x41bfbdc*, pdwDataLen=0x41bfcf0*=0x100) returned 1 [0090.118] CryptEncrypt (in: hKey=0x5c9090, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x41bfcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x41bfcdc*=0x12600) returned 1 [0090.119] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0090.120] CloseHandle (hObject=0x304) returned 1 [0090.120] CryptDestroyKey (hKey=0x5c9090) returned 1 [0090.120] CryptReleaseContext (hProv=0x5d0d00, dwFlags=0x0) returned 1 [0090.120] SetFilePointerEx (in: hFile=0x28c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.120] WriteFile (in: hFile=0x28c, lpBuffer=0x41bfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x41bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x41bfbdc*, lpNumberOfBytesWritten=0x41bfcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.121] WriteFile (in: hFile=0x28c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x41bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x41bfcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.121] CloseHandle (hObject=0x28c) returned 1 [0090.124] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\orders oxide shift.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.124] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.124] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" [0090.124] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\how to restore files.hta")) returned 0x1 [0090.125] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PDIALOG.exe") returned -1 [0090.125] lstrlenW (lpString="PDIALOG.exe") returned 11 [0090.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="PDIALOG.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" [0090.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" [0090.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe id-Br3n0G72wUb8CejT.LyaS" [0090.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" (normalized: "c:\\program files\\windows journal\\pdialog.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\pdialog.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.125] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 1 [0090.125] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0090.125] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0090.125] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0090.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0090.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0090.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates" [0090.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0090.125] GlobalMemoryStatus (in: lpBuffer=0x41bfd08 | out: lpBuffer=0x41bfd08) [0090.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10770868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0090.127] CloseHandle (hObject=0x28c) returned 1 [0090.127] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x41bfd28 | out: lpFindFileData=0x41bfd28) returned 0 [0090.127] FindClose (in: hFindFile=0x5c8d10 | out: hFindFile=0x5c8d10) returned 1 Thread: id = 103 os_tid = 0xb80 [0088.411] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\*.*", lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 0x5c9450 [0088.411] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.411] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0089.464] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.464] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.464] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0089.464] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0089.464] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0089.464] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0089.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0089.467] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0089.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US" [0089.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0089.468] GlobalMemoryStatus (in: lpBuffer=0x50cfd08 | out: lpBuffer=0x50cfd08) [0089.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10840960, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0089.468] CloseHandle (hObject=0x2f0) returned 1 [0089.468] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0089.468] lstrcpyW (in: lpString1=0x3da01e8, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0089.468] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0089.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" [0089.469] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta")) returned 0xffffffff [0089.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0090.071] WriteFile (in: hFile=0x28c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x50cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.072] CloseHandle (hObject=0x28c) returned 1 [0090.072] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.073] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msoe.dll") returned -1 [0090.073] lstrlenW (lpString="msoe.dll") returned 8 [0090.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="msoe.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll" [0090.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll" [0090.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll id-Br3n0G72wUb8CejT.LyaS" [0090.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll" (normalized: "c:\\program files\\windows mail\\msoe.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\msoe.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.287] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0090.287] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" [0090.287] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta")) returned 0x1 [0090.287] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MSOERES.dll") returned -1 [0090.287] lstrlenW (lpString="MSOERES.dll") returned 11 [0090.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="MSOERES.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll" [0090.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll" [0090.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll id-Br3n0G72wUb8CejT.LyaS" [0090.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll" (normalized: "c:\\program files\\windows mail\\msoeres.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\msoeres.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.391] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0090.391] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.391] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.391] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" [0090.391] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta")) returned 0x1 [0090.391] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="oeimport.dll") returned -1 [0090.391] lstrlenW (lpString="oeimport.dll") returned 12 [0090.391] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.391] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.391] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="oeimport.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll" [0090.391] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll" [0090.391] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll id-Br3n0G72wUb8CejT.LyaS" [0090.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll" (normalized: "c:\\program files\\windows mail\\oeimport.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\oeimport.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.392] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0090.392] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.392] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.392] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" [0090.392] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta")) returned 0x1 [0090.392] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="tr_wireless.exe") returned -1 [0090.392] lstrlenW (lpString="tr_wireless.exe") returned 15 [0090.392] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.392] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.392] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="tr_wireless.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe" [0090.392] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe" [0090.392] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe id-Br3n0G72wUb8CejT.LyaS" [0090.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe" (normalized: "c:\\program files\\windows mail\\tr_wireless.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\tr_wireless.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0090.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\tr_wireless.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0090.393] CreateFileMappingA (hFile=0x374, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x36c [0090.393] CryptAcquireContextA (in: phProv=0x50cfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x50cfce4*=0x5d0e10) returned 1 [0090.394] CryptGenKey (in: hProv=0x5d0e10, Algid=0x6610, dwFlags=0x1, phKey=0x50cfce0 | out: phKey=0x50cfce0*=0x5c8dd0) returned 1 [0090.394] CryptExportKey (in: hKey=0x5c8dd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x50cfbdc, pdwDataLen=0x50cfcdc | out: pbData=0x50cfbdc*, pdwDataLen=0x50cfcdc*=0x2c) returned 1 [0090.394] MapViewOfFile (hFileMappingObject=0x36c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0090.396] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x50cfbdc*, pdwDataLen=0x50cfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x50cfbdc*, pdwDataLen=0x50cfcf0*=0x100) returned 1 [0090.397] CryptEncrypt (in: hKey=0x5c8dd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x50cfcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x50cfcdc*=0x12600) returned 1 [0090.397] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0090.398] CloseHandle (hObject=0x36c) returned 1 [0090.398] CryptDestroyKey (hKey=0x5c8dd0) returned 1 [0090.398] CryptReleaseContext (hProv=0x5d0e10, dwFlags=0x0) returned 1 [0090.398] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.398] WriteFile (in: hFile=0x374, lpBuffer=0x50cfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x50cfbdc*, lpNumberOfBytesWritten=0x50cfcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.399] WriteFile (in: hFile=0x374, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x50cfcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.400] CloseHandle (hObject=0x374) returned 1 [0090.405] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\tr_wireless.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.406] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0090.406] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.406] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.406] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" [0090.406] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta")) returned 0x1 [0090.406] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wab.exe") returned -1 [0090.406] lstrlenW (lpString="wab.exe") returned 7 [0090.406] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.406] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.406] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="wab.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe" [0090.406] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe" [0090.406] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe id-Br3n0G72wUb8CejT.LyaS" [0090.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe" (normalized: "c:\\program files\\windows mail\\wab.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\wab.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.407] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0090.407] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.407] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.407] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" [0090.407] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta")) returned 0x1 [0090.407] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wabimp.dll") returned -1 [0090.407] lstrlenW (lpString="wabimp.dll") returned 10 [0090.407] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.407] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.407] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="wabimp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll" [0090.407] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll" [0090.407] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll id-Br3n0G72wUb8CejT.LyaS" [0090.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll" (normalized: "c:\\program files\\windows mail\\wabimp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\wabimp.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.407] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0090.407] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.407] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.408] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" [0090.408] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta")) returned 0x1 [0090.408] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wabmig.exe") returned -1 [0090.408] lstrlenW (lpString="wabmig.exe") returned 10 [0090.408] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.408] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="wabmig.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe" [0090.408] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe" [0090.408] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe id-Br3n0G72wUb8CejT.LyaS" [0090.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe" (normalized: "c:\\program files\\windows mail\\wabmig.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\wabmig.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.408] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0090.408] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.408] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" [0090.408] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\how to restore files.hta")) returned 0x1 [0090.408] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WinMail.exe") returned -1 [0090.409] lstrlenW (lpString="WinMail.exe") returned 11 [0090.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0090.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0090.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="WinMail.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe" [0090.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe" [0090.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe id-Br3n0G72wUb8CejT.LyaS" [0090.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe" (normalized: "c:\\program files\\windows mail\\winmail.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\winmail.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.409] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 0 [0090.409] FindClose (in: hFindFile=0x5c9450 | out: hFindFile=0x5c9450) returned 1 Thread: id = 104 os_tid = 0x8a0 [0088.411] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*", lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 0x5c8cd0 [0088.412] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.412] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0089.472] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.472] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0089.474] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0089.474] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0089.474] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0089.474] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0xffffffff [0089.474] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0090.268] WriteFile (in: hFile=0x2a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x520fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x520fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.269] CloseHandle (hObject=0x2a8) returned 1 [0090.269] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.269] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="affected.exe") returned 1 [0090.269] lstrlenW (lpString="affected.exe") returned 12 [0090.269] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0090.269] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0090.269] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="affected.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe" [0090.270] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe" [0090.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe id-Br3n0G72wUb8CejT.LyaS" [0090.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe" (normalized: "c:\\program files\\windows media player\\affected.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\affected.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0090.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\affected.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0090.271] CreateFileMappingA (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x28c [0090.271] CryptAcquireContextA (in: phProv=0x520fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x520fce4*=0x5d1140) returned 1 [0090.271] CryptGenKey (in: hProv=0x5d1140, Algid=0x6610, dwFlags=0x1, phKey=0x520fce0 | out: phKey=0x520fce0*=0x5c8fd0) returned 1 [0090.271] CryptExportKey (in: hKey=0x5c8fd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x520fbdc, pdwDataLen=0x520fcdc | out: pbData=0x520fbdc*, pdwDataLen=0x520fcdc*=0x2c) returned 1 [0090.271] MapViewOfFile (hFileMappingObject=0x28c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0090.273] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520fbdc*, pdwDataLen=0x520fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x520fbdc*, pdwDataLen=0x520fcf0*=0x100) returned 1 [0090.274] CryptEncrypt (in: hKey=0x5c8fd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x520fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x520fcdc*=0x12600) returned 1 [0090.274] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0090.275] CloseHandle (hObject=0x28c) returned 1 [0090.275] CryptDestroyKey (hKey=0x5c8fd0) returned 1 [0090.275] CryptReleaseContext (hProv=0x5d1140, dwFlags=0x0) returned 1 [0090.275] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.275] WriteFile (in: hFile=0x2a8, lpBuffer=0x520fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x520fcf0, lpOverlapped=0x0 | out: lpBuffer=0x520fbdc*, lpNumberOfBytesWritten=0x520fcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.276] WriteFile (in: hFile=0x2a8, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x520fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x520fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.276] CloseHandle (hObject=0x2a8) returned 1 [0090.280] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\affected.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.280] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0090.280] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0090.280] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0090.280] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0090.283] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0090.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0090.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US" [0090.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0090.283] GlobalMemoryStatus (in: lpBuffer=0x520fd08 | out: lpBuffer=0x520fd08) [0090.283] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ce1b60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.284] CloseHandle (hObject=0x2a8) returned 1 [0090.284] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0090.284] lstrcmpW (lpString1=".", lpString2="Icons") returned -1 [0090.284] lstrcmpW (lpString1="..", lpString2="Icons") returned -1 [0090.284] lstrcmpiW (lpString1="windows", lpString2="Icons") returned 1 [0090.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0090.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0090.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Icons" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons" [0090.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons\\*.*" [0090.284] GlobalMemoryStatus (in: lpBuffer=0x520fd08 | out: lpBuffer=0x520fd08) [0090.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x107e88e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.285] CloseHandle (hObject=0x2a8) returned 1 [0090.285] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0090.285] lstrcmpW (lpString1=".", lpString2="Media Renderer") returned -1 [0090.285] lstrcmpW (lpString1="..", lpString2="Media Renderer") returned -1 [0090.285] lstrcmpiW (lpString1="windows", lpString2="Media Renderer") returned 1 [0090.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0090.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0090.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Media Renderer" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer" [0090.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0090.285] GlobalMemoryStatus (in: lpBuffer=0x520fd08 | out: lpBuffer=0x520fd08) [0090.285] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ca0d58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.286] CloseHandle (hObject=0x2a8) returned 1 [0090.286] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0090.286] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0090.286] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0090.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0090.286] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0090.286] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mpvis.DLL") returned -1 [0090.286] lstrlenW (lpString="mpvis.DLL") returned 9 [0090.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0090.286] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0090.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="mpvis.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL" [0090.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL" [0090.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL id-Br3n0G72wUb8CejT.LyaS" [0090.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL" (normalized: "c:\\program files\\windows media player\\mpvis.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\mpvis.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.970] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0090.970] lstrcmpW (lpString1=".", lpString2="Network Sharing") returned -1 [0090.970] lstrcmpW (lpString1="..", lpString2="Network Sharing") returned -1 [0090.970] lstrcmpiW (lpString1="windows", lpString2="Network Sharing") returned 1 [0091.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Network Sharing" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing" [0091.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0091.098] GlobalMemoryStatus (in: lpBuffer=0x520fd08 | out: lpBuffer=0x520fd08) [0091.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d580b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0091.099] CloseHandle (hObject=0x300) returned 1 [0091.099] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.099] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.099] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.099] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="setup_wm.exe") returned -1 [0091.099] lstrlenW (lpString="setup_wm.exe") returned 12 [0091.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="setup_wm.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe" [0091.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe" [0091.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe id-Br3n0G72wUb8CejT.LyaS" [0091.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe" (normalized: "c:\\program files\\windows media player\\setup_wm.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\setup_wm.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.100] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.100] lstrcmpW (lpString1=".", lpString2="Skins") returned -1 [0091.100] lstrcmpW (lpString1="..", lpString2="Skins") returned -1 [0091.100] lstrcmpiW (lpString1="windows", lpString2="Skins") returned 1 [0091.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Skins" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins" [0091.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*" [0091.100] GlobalMemoryStatus (in: lpBuffer=0x520fd08 | out: lpBuffer=0x520fd08) [0091.100] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ab0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0091.103] CloseHandle (hObject=0x300) returned 1 [0091.103] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.103] lstrcmpW (lpString1=".", lpString2="Visualizations") returned -1 [0091.103] lstrcmpW (lpString1="..", lpString2="Visualizations") returned -1 [0091.103] lstrcmpiW (lpString1="windows", lpString2="Visualizations") returned 1 [0091.107] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.107] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.107] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Visualizations" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations" [0091.107] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations\\*.*" [0091.107] GlobalMemoryStatus (in: lpBuffer=0x520fd08 | out: lpBuffer=0x520fd08) [0091.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1114ee80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0091.108] CloseHandle (hObject=0x300) returned 1 [0091.108] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.108] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.108] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.109] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmlaunch.exe") returned -1 [0091.109] lstrlenW (lpString="wmlaunch.exe") returned 12 [0091.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmlaunch.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe" [0091.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe" [0091.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe id-Br3n0G72wUb8CejT.LyaS" [0091.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe" (normalized: "c:\\program files\\windows media player\\wmlaunch.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmlaunch.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.109] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.109] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.109] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.109] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpconfig.exe") returned -1 [0091.109] lstrlenW (lpString="wmpconfig.exe") returned 13 [0091.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpconfig.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe" [0091.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe" [0091.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe id-Br3n0G72wUb8CejT.LyaS" [0091.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe" (normalized: "c:\\program files\\windows media player\\wmpconfig.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmpconfig.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.110] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.110] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.110] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmplayer.exe") returned -1 [0091.110] lstrlenW (lpString="wmplayer.exe") returned 12 [0091.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmplayer.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe" [0091.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe" [0091.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe id-Br3n0G72wUb8CejT.LyaS" [0091.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe" (normalized: "c:\\program files\\windows media player\\wmplayer.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmplayer.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.111] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.111] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.111] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.111] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.111] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WMPMediaSharing.dll") returned -1 [0091.111] lstrlenW (lpString="WMPMediaSharing.dll") returned 19 [0091.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.111] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="WMPMediaSharing.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll" [0091.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll" [0091.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll id-Br3n0G72wUb8CejT.LyaS" [0091.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll" (normalized: "c:\\program files\\windows media player\\wmpmediasharing.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmpmediasharing.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.111] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.111] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.111] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.112] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpnetwk.exe") returned -1 [0091.112] lstrlenW (lpString="wmpnetwk.exe") returned 12 [0091.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpnetwk.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe" [0091.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe" [0091.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe id-Br3n0G72wUb8CejT.LyaS" [0091.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe" (normalized: "c:\\program files\\windows media player\\wmpnetwk.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmpnetwk.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.112] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.112] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.112] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpnscfg.exe") returned -1 [0091.112] lstrlenW (lpString="wmpnscfg.exe") returned 12 [0091.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpnscfg.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe" [0091.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe" [0091.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe id-Br3n0G72wUb8CejT.LyaS" [0091.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe" (normalized: "c:\\program files\\windows media player\\wmpnscfg.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmpnscfg.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.113] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.113] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.113] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.113] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpnssci.dll") returned -1 [0091.113] lstrlenW (lpString="wmpnssci.dll") returned 12 [0091.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpnssci.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll" [0091.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll" [0091.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll id-Br3n0G72wUb8CejT.LyaS" [0091.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll" (normalized: "c:\\program files\\windows media player\\wmpnssci.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmpnssci.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.178] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.178] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.178] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.179] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WMPNSSUI.dll") returned -1 [0091.179] lstrlenW (lpString="WMPNSSUI.dll") returned 12 [0091.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="WMPNSSUI.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll" [0091.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll" [0091.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll id-Br3n0G72wUb8CejT.LyaS" [0091.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll" (normalized: "c:\\program files\\windows media player\\wmpnssui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmpnssui.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.179] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.179] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.179] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.179] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmprph.exe") returned -1 [0091.179] lstrlenW (lpString="wmprph.exe") returned 10 [0091.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmprph.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe" [0091.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe" [0091.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe id-Br3n0G72wUb8CejT.LyaS" [0091.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe" (normalized: "c:\\program files\\windows media player\\wmprph.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmprph.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.185] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.185] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.186] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.186] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpshare.exe") returned -1 [0091.186] lstrlenW (lpString="wmpshare.exe") returned 12 [0091.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpshare.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe" [0091.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe" [0091.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe id-Br3n0G72wUb8CejT.LyaS" [0091.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe" (normalized: "c:\\program files\\windows media player\\wmpshare.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmpshare.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.243] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 1 [0091.243] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" [0091.243] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\how to restore files.hta")) returned 0x1 [0091.243] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WMPSideShowGadget.exe") returned -1 [0091.243] lstrlenW (lpString="WMPSideShowGadget.exe") returned 21 [0091.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0091.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0091.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="WMPSideShowGadget.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe" [0091.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe" [0091.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe id-Br3n0G72wUb8CejT.LyaS" [0091.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe" (normalized: "c:\\program files\\windows media player\\wmpsideshowgadget.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\wmpsideshowgadget.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.274] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x520fd28 | out: lpFindFileData=0x520fd28) returned 0 [0091.274] FindClose (in: hFindFile=0x5c8cd0 | out: hFindFile=0x5c8cd0) returned 1 Thread: id = 105 os_tid = 0x264 [0088.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*", lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 0x5c87d0 [0089.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.475] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 1 [0089.475] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.475] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 1 [0089.475] lstrcpyW (in: lpString1=0x3ee8070, lpString2="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" [0089.475] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned 52 [0089.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\How To Restore Files.hta" [0089.475] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\How To Restore Files.hta" (normalized: "c:\\program files\\windows multimedia platform\\how to restore files.hta")) returned 0xffffffff [0089.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\How To Restore Files.hta" (normalized: "c:\\program files\\windows multimedia platform\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0090.265] WriteFile (in: hFile=0x374, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x534fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x534fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.266] CloseHandle (hObject=0x374) returned 1 [0090.266] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.266] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="freeware.exe") returned 1 [0090.266] lstrlenW (lpString="freeware.exe") returned 12 [0090.266] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" [0090.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned 52 [0090.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\", lpString2="freeware.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe" [0090.267] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe" [0090.267] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe id-Br3n0G72wUb8CejT.LyaS" [0090.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe" (normalized: "c:\\program files\\windows multimedia platform\\freeware.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows multimedia platform\\freeware.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0090.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows multimedia platform\\freeware.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0090.372] CreateFileMappingA (hFile=0x374, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x36c [0090.372] CryptAcquireContextA (in: phProv=0x534fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x534fce4*=0x5d1938) returned 1 [0090.372] CryptGenKey (in: hProv=0x5d1938, Algid=0x6610, dwFlags=0x1, phKey=0x534fce0 | out: phKey=0x534fce0*=0x5c8f50) returned 1 [0090.372] CryptExportKey (in: hKey=0x5c8f50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x534fbdc, pdwDataLen=0x534fcdc | out: pbData=0x534fbdc*, pdwDataLen=0x534fcdc*=0x2c) returned 1 [0090.372] MapViewOfFile (hFileMappingObject=0x36c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0090.381] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x534fbdc*, pdwDataLen=0x534fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x534fbdc*, pdwDataLen=0x534fcf0*=0x100) returned 1 [0090.381] CryptEncrypt (in: hKey=0x5c8f50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x534fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x534fcdc*=0x12600) returned 1 [0090.382] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0090.382] CloseHandle (hObject=0x36c) returned 1 [0090.383] CryptDestroyKey (hKey=0x5c8f50) returned 1 [0090.383] CryptReleaseContext (hProv=0x5d1938, dwFlags=0x0) returned 1 [0090.383] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.383] WriteFile (in: hFile=0x374, lpBuffer=0x534fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x534fcf0, lpOverlapped=0x0 | out: lpBuffer=0x534fbdc*, lpNumberOfBytesWritten=0x534fcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.384] WriteFile (in: hFile=0x374, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x534fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x534fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.384] CloseHandle (hObject=0x374) returned 1 [0090.387] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\freeware.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.387] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 1 [0090.387] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" [0090.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned 52 [0090.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\How To Restore Files.hta" [0090.387] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\How To Restore Files.hta" (normalized: "c:\\program files\\windows multimedia platform\\how to restore files.hta")) returned 0x1 [0090.388] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqmapi.dll") returned -1 [0090.388] lstrlenW (lpString="sqmapi.dll") returned 10 [0090.388] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*" [0090.388] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\*.*") returned 52 [0090.388] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll" [0090.388] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll" [0090.388] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" [0090.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll" (normalized: "c:\\program files\\windows multimedia platform\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Multimedia Platform\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows multimedia platform\\sqmapi.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.970] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0x534fd28 | out: lpFindFileData=0x534fd28) returned 0 [0090.970] FindClose (in: hFindFile=0x5c87d0 | out: hFindFile=0x5c87d0) returned 1 Thread: id = 106 os_tid = 0x3a0 [0088.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\*.*", lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 0x5c8d50 [0088.415] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.415] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0089.479] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.479] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.479] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0089.479] lstrcmpW (lpString1=".", lpString2="Accessories") returned -1 [0089.479] lstrcmpW (lpString1="..", lpString2="Accessories") returned -1 [0089.479] lstrcmpiW (lpString1="windows", lpString2="Accessories") returned 1 [0089.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\*.*" [0089.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned 35 [0089.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\", lpString2="Accessories" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories" [0089.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0089.481] GlobalMemoryStatus (in: lpBuffer=0x548fd08 | out: lpBuffer=0x548fd08) [0089.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x108989d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.483] CloseHandle (hObject=0x344) returned 1 [0089.483] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0089.483] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\*.*" [0089.483] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned 35 [0089.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\How To Restore Files.hta" [0089.483] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\how to restore files.hta")) returned 0xffffffff [0089.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0090.042] WriteFile (in: hFile=0x22c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x548fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x548fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.043] CloseHandle (hObject=0x22c) returned 1 [0090.043] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.044] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="lowest forwarding sitemap.exe") returned -1 [0090.044] lstrlenW (lpString="lowest forwarding sitemap.exe") returned 29 [0090.044] lstrcmpiW (lpString1=".LyaS", lpString2="p.exe") returned -1 [0090.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\*.*" [0090.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned 35 [0090.044] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\", lpString2="lowest forwarding sitemap.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe") returned="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe" [0090.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe") returned="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe" [0090.044] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe id-Br3n0G72wUb8CejT.LyaS" [0090.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe" (normalized: "c:\\program files\\windows nt\\lowest forwarding sitemap.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\lowest forwarding sitemap.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0090.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\lowest forwarding sitemap.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0090.045] CreateFileMappingA (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x28c [0090.045] CryptAcquireContextA (in: phProv=0x548fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x548fce4*=0x5d0d00) returned 1 [0090.046] CryptGenKey (in: hProv=0x5d0d00, Algid=0x6610, dwFlags=0x1, phKey=0x548fce0 | out: phKey=0x548fce0*=0x5c8750) returned 1 [0090.046] CryptExportKey (in: hKey=0x5c8750, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x548fbdc, pdwDataLen=0x548fcdc | out: pbData=0x548fbdc*, pdwDataLen=0x548fcdc*=0x2c) returned 1 [0090.046] MapViewOfFile (hFileMappingObject=0x28c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0090.049] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x548fbdc*, pdwDataLen=0x548fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x548fbdc*, pdwDataLen=0x548fcf0*=0x100) returned 1 [0090.049] CryptEncrypt (in: hKey=0x5c8750, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x548fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x548fcdc*=0x12600) returned 1 [0090.050] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0090.050] CloseHandle (hObject=0x28c) returned 1 [0090.051] CryptDestroyKey (hKey=0x5c8750) returned 1 [0090.051] CryptReleaseContext (hProv=0x5d0d00, dwFlags=0x0) returned 1 [0090.051] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.051] WriteFile (in: hFile=0x22c, lpBuffer=0x548fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x548fcf0, lpOverlapped=0x0 | out: lpBuffer=0x548fbdc*, lpNumberOfBytesWritten=0x548fcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.051] WriteFile (in: hFile=0x22c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x548fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x548fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.052] CloseHandle (hObject=0x22c) returned 1 [0090.054] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\lowest forwarding sitemap.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.054] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0090.054] lstrcmpW (lpString1=".", lpString2="TableTextService") returned -1 [0090.054] lstrcmpW (lpString1="..", lpString2="TableTextService") returned -1 [0090.054] lstrcmpiW (lpString1="windows", lpString2="TableTextService") returned 1 [0090.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\*.*" [0090.055] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned 35 [0090.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\", lpString2="TableTextService" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService" [0090.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0090.055] GlobalMemoryStatus (in: lpBuffer=0x548fd08 | out: lpBuffer=0x548fd08) [0090.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a703f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x22c [0090.056] CloseHandle (hObject=0x22c) returned 1 [0090.056] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 0 [0090.056] FindClose (in: hFindFile=0x5c8d50 | out: hFindFile=0x5c8d50) returned 1 Thread: id = 107 os_tid = 0x60c [0088.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*", lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 0x5c8d90 [0088.415] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.415] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0089.487] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.487] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0089.487] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0089.487] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0089.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" [0089.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\how to restore files.hta")) returned 0xffffffff [0089.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0090.238] WriteFile (in: hFile=0x374, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x584fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x584fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.239] CloseHandle (hObject=0x374) returned 1 [0090.239] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.240] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="collecting_vb_les.exe") returned 1 [0090.240] lstrlenW (lpString="collecting_vb_les.exe") returned 21 [0090.240] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0090.240] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0090.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="collecting_vb_les.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe" [0090.240] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe" [0090.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe id-Br3n0G72wUb8CejT.LyaS" [0090.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe" (normalized: "c:\\program files\\windows photo viewer\\collecting_vb_les.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\collecting_vb_les.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0090.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\collecting_vb_les.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0090.241] CreateFileMappingA (hFile=0x374, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2a8 [0090.241] CryptAcquireContextA (in: phProv=0x584fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x584fce4*=0x5d1938) returned 1 [0090.242] CryptGenKey (in: hProv=0x5d1938, Algid=0x6610, dwFlags=0x1, phKey=0x584fce0 | out: phKey=0x584fce0*=0x5c8f50) returned 1 [0090.242] CryptExportKey (in: hKey=0x5c8f50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x584fbdc, pdwDataLen=0x584fcdc | out: pbData=0x584fbdc*, pdwDataLen=0x584fcdc*=0x2c) returned 1 [0090.242] MapViewOfFile (hFileMappingObject=0x2a8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x31d0000 [0090.245] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x584fbdc*, pdwDataLen=0x584fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x584fbdc*, pdwDataLen=0x584fcf0*=0x100) returned 1 [0090.247] CryptEncrypt (in: hKey=0x5c8f50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x584fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x31d0000*, pdwDataLen=0x584fcdc*=0x12600) returned 1 [0090.247] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0090.248] CloseHandle (hObject=0x2a8) returned 1 [0090.248] CryptDestroyKey (hKey=0x5c8f50) returned 1 [0090.248] CryptReleaseContext (hProv=0x5d1938, dwFlags=0x0) returned 1 [0090.248] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.248] WriteFile (in: hFile=0x374, lpBuffer=0x584fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x584fcf0, lpOverlapped=0x0 | out: lpBuffer=0x584fbdc*, lpNumberOfBytesWritten=0x584fcf0*=0x100, lpOverlapped=0x0) returned 1 [0090.249] WriteFile (in: hFile=0x374, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x584fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x584fcf0*=0x500, lpOverlapped=0x0) returned 1 [0090.249] CloseHandle (hObject=0x374) returned 1 [0090.253] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\collecting_vb_les.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0090.254] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0090.254] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0090.254] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0090.254] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0090.254] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0090.254] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0090.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US" [0090.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0090.254] GlobalMemoryStatus (in: lpBuffer=0x584fd08 | out: lpBuffer=0x584fd08) [0090.254] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e48070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x374 [0090.255] CloseHandle (hObject=0x374) returned 1 [0090.255] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0090.256] lstrcpyW (in: lpString1=0x5b106c8, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0090.256] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0090.256] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" [0090.256] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0090.256] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ImagingDevices.exe") returned -1 [0090.256] lstrlenW (lpString="ImagingDevices.exe") returned 18 [0090.256] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0090.256] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0090.256] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="ImagingDevices.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe" [0090.256] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe" [0090.256] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe id-Br3n0G72wUb8CejT.LyaS" [0090.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe" (normalized: "c:\\program files\\windows photo viewer\\imagingdevices.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\imagingdevices.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0090.369] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0090.369] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0090.369] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0090.369] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" [0090.369] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0090.369] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ImagingEngine.dll") returned -1 [0090.369] lstrlenW (lpString="ImagingEngine.dll") returned 17 [0090.369] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0090.369] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0090.369] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="ImagingEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll" [0090.369] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll" [0090.369] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll id-Br3n0G72wUb8CejT.LyaS" [0090.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll" (normalized: "c:\\program files\\windows photo viewer\\imagingengine.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\imagingengine.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.970] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0091.121] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0091.122] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0091.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" [0091.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.122] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotoAcq.dll") returned -1 [0091.122] lstrlenW (lpString="PhotoAcq.dll") returned 12 [0091.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0091.122] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0091.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="PhotoAcq.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll" [0091.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll" [0091.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll id-Br3n0G72wUb8CejT.LyaS" [0091.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll" (normalized: "c:\\program files\\windows photo viewer\\photoacq.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\photoacq.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.123] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0091.123] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0091.123] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0091.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" [0091.123] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.123] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotoBase.dll") returned -1 [0091.123] lstrlenW (lpString="PhotoBase.dll") returned 13 [0091.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0091.123] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0091.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="PhotoBase.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll" [0091.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll" [0091.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll id-Br3n0G72wUb8CejT.LyaS" [0091.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll" (normalized: "c:\\program files\\windows photo viewer\\photobase.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\photobase.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.124] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0091.124] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0091.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0091.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" [0091.124] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.124] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotoViewer.dll") returned -1 [0091.124] lstrlenW (lpString="PhotoViewer.dll") returned 15 [0091.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0091.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0091.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="PhotoViewer.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll" [0091.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll" [0091.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll id-Br3n0G72wUb8CejT.LyaS" [0091.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll" (normalized: "c:\\program files\\windows photo viewer\\photoviewer.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\photoviewer.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.125] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0091.125] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0091.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0091.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" [0091.125] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.125] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="runtime recommendation.exe") returned -1 [0091.125] lstrlenW (lpString="runtime recommendation.exe") returned 26 [0091.125] lstrcmpiW (lpString1=".LyaS", lpString2="n.exe") returned -1 [0091.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0091.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0091.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="runtime recommendation.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe" [0091.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe" [0091.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe id-Br3n0G72wUb8CejT.LyaS" [0091.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe" (normalized: "c:\\program files\\windows photo viewer\\runtime recommendation.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\runtime recommendation.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\runtime recommendation.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0091.126] CreateFileMappingA (hFile=0x300, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x22c [0091.126] CryptAcquireContextA (in: phProv=0x584fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x584fce4*=0x5d1250) returned 1 [0091.127] CryptGenKey (in: hProv=0x5d1250, Algid=0x6610, dwFlags=0x1, phKey=0x584fce0 | out: phKey=0x584fce0*=0x5c8e50) returned 1 [0091.127] CryptExportKey (in: hKey=0x5c8e50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x584fbdc, pdwDataLen=0x584fcdc | out: pbData=0x584fbdc*, pdwDataLen=0x584fcdc*=0x2c) returned 1 [0091.127] MapViewOfFile (hFileMappingObject=0x22c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x1ce20000 [0091.131] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x584fbdc*, pdwDataLen=0x584fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x584fbdc*, pdwDataLen=0x584fcf0*=0x100) returned 1 [0091.132] CryptEncrypt (in: hKey=0x5c8e50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1ce20000, pdwDataLen=0x584fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x1ce20000*, pdwDataLen=0x584fcdc*=0x12600) returned 1 [0091.132] UnmapViewOfFile (lpBaseAddress=0x1ce20000) returned 1 [0091.133] CloseHandle (hObject=0x22c) returned 1 [0091.133] CryptDestroyKey (hKey=0x5c8e50) returned 1 [0091.133] CryptReleaseContext (hProv=0x5d1250, dwFlags=0x0) returned 1 [0091.133] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.133] WriteFile (in: hFile=0x300, lpBuffer=0x584fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x584fcf0, lpOverlapped=0x0 | out: lpBuffer=0x584fbdc*, lpNumberOfBytesWritten=0x584fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.134] WriteFile (in: hFile=0x300, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x584fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x584fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.134] CloseHandle (hObject=0x300) returned 1 [0091.136] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\runtime recommendation.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.137] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 0 [0091.137] FindClose (in: hFindFile=0x5c8d90 | out: hFindFile=0x5c8d90) returned 1 Thread: id = 108 os_tid = 0xcb8 [0088.416] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*", lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 0x5c8dd0 [0088.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.416] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0089.491] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0089.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.491] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 1 [0089.491] lstrcpyW (in: lpString1=0x5b186d0, lpString2="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" [0089.491] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned 49 [0089.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\How To Restore Files.hta" [0089.491] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\How To Restore Files.hta" (normalized: "c:\\program files\\windows portable devices\\how to restore files.hta")) returned 0xffffffff [0089.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\How To Restore Files.hta" (normalized: "c:\\program files\\windows portable devices\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0090.257] WriteFile (in: hFile=0x374, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x650fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x650fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.259] CloseHandle (hObject=0x374) returned 1 [0090.259] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.262] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqmapi.dll") returned -1 [0090.262] lstrlenW (lpString="sqmapi.dll") returned 10 [0090.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" [0090.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned 49 [0090.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll" [0090.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll" [0090.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" [0090.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll" (normalized: "c:\\program files\\windows portable devices\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows portable devices\\sqmapi.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.370] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x650fd28 | out: lpFindFileData=0x650fd28) returned 0 [0090.370] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 109 os_tid = 0x5c0 [0088.416] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*", lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 0x5c8e10 [0088.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.416] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 1 [0088.895] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.895] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.895] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 1 [0088.895] lstrcmpW (lpString1=".", lpString2="Gadgets") returned -1 [0088.896] lstrcmpW (lpString1="..", lpString2="Gadgets") returned -1 [0088.896] lstrcmpiW (lpString1="windows", lpString2="Gadgets") returned 1 [0088.898] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0088.898] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned 40 [0088.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\", lpString2="Gadgets" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets" [0088.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0088.898] GlobalMemoryStatus (in: lpBuffer=0x678fd08 | out: lpBuffer=0x678fd08) [0088.898] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ca9298, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0088.899] CloseHandle (hObject=0x31c) returned 1 [0088.899] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 1 [0088.899] lstrcmpW (lpString1=".", lpString2="Shared Gadgets") returned -1 [0088.899] lstrcmpW (lpString1="..", lpString2="Shared Gadgets") returned -1 [0088.899] lstrcmpiW (lpString1="windows", lpString2="Shared Gadgets") returned 1 [0088.901] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0088.901] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned 40 [0088.901] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\", lpString2="Shared Gadgets" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Shared Gadgets") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Shared Gadgets" [0088.901] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Shared Gadgets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\*.*" [0088.901] GlobalMemoryStatus (in: lpBuffer=0x678fd08 | out: lpBuffer=0x678fd08) [0088.901] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cc1300, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0088.902] CloseHandle (hObject=0x31c) returned 1 [0088.902] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x678fd28 | out: lpFindFileData=0x678fd28) returned 0 [0088.902] FindClose (in: hFindFile=0x5c8e10 | out: hFindFile=0x5c8e10) returned 1 Thread: id = 110 os_tid = 0x878 [0088.416] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\*.*", lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 0x5c8ed0 [0088.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.418] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.608] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.608] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.608] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.608] lstrcmpW (lpString1=".", lpString2="Deleted") returned -1 [0088.608] lstrcmpW (lpString1="..", lpString2="Deleted") returned -1 [0088.608] lstrcmpiW (lpString1="windows", lpString2="Deleted") returned 1 [0088.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Deleted" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Deleted") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Deleted" [0088.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Deleted", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Deleted\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Deleted\\*.*" [0088.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89b8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.614] CloseHandle (hObject=0x378) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.614] lstrcmpW (lpString1=".", lpString2="Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe") returned -1 [0088.614] lstrcmpW (lpString1="..", lpString2="Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe") returned -1 [0088.614] lstrcmpiW (lpString1="windows", lpString2="Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe") returned 1 [0088.616] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.616] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe" [0088.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\*.*" [0088.617] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89d06c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.618] CloseHandle (hObject=0x378) returned 1 [0088.618] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.618] lstrcmpW (lpString1=".", lpString2="Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.618] lstrcmpW (lpString1="..", lpString2="Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.618] lstrcmpiW (lpString1="windows", lpString2="Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.620] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.620] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.620] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe" [0088.620] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89e8730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.621] CloseHandle (hObject=0x378) returned 1 [0088.621] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.621] lstrcmpW (lpString1=".", lpString2="Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe") returned -1 [0088.621] lstrcmpW (lpString1="..", lpString2="Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe") returned -1 [0088.621] lstrcmpiW (lpString1="windows", lpString2="Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe") returned 1 [0088.626] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.626] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe" [0088.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0088.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a00798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.627] CloseHandle (hObject=0x378) returned 1 [0088.627] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.627] lstrcmpW (lpString1=".", lpString2="Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.627] lstrcmpW (lpString1="..", lpString2="Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.627] lstrcmpiW (lpString1="windows", lpString2="Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.629] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe" [0088.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.629] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a18800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.630] CloseHandle (hObject=0x378) returned 1 [0088.630] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.630] lstrcmpW (lpString1=".", lpString2="Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.631] lstrcmpW (lpString1="..", lpString2="Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.631] lstrcmpiW (lpString1="windows", lpString2="Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.633] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe" [0088.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.633] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a30868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.634] CloseHandle (hObject=0x378) returned 1 [0088.634] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.634] lstrcmpW (lpString1=".", lpString2="Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe") returned -1 [0088.634] lstrcmpW (lpString1="..", lpString2="Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe") returned -1 [0088.634] lstrcmpiW (lpString1="windows", lpString2="Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe") returned 1 [0088.636] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.636] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.636] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe" [0088.636] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" [0088.636] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a488d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.637] CloseHandle (hObject=0x378) returned 1 [0088.637] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.637] lstrcmpW (lpString1=".", lpString2="Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.637] lstrcmpW (lpString1="..", lpString2="Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.637] lstrcmpiW (lpString1="windows", lpString2="Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.640] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe" [0088.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.640] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a60938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.641] CloseHandle (hObject=0x378) returned 1 [0088.641] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.641] lstrcmpW (lpString1=".", lpString2="Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe") returned -1 [0088.641] lstrcmpW (lpString1="..", lpString2="Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe") returned -1 [0088.641] lstrcmpiW (lpString1="windows", lpString2="Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe") returned 1 [0088.643] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.643] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.643] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe" [0088.643] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" [0088.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a789a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.644] CloseHandle (hObject=0x378) returned 1 [0088.644] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.644] lstrcmpW (lpString1=".", lpString2="Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.644] lstrcmpW (lpString1="..", lpString2="Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.644] lstrcmpiW (lpString1="windows", lpString2="Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.645] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.645] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.645] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe" [0088.645] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.645] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a90a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.646] CloseHandle (hObject=0x378) returned 1 [0088.646] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.646] lstrcmpW (lpString1=".", lpString2="Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe") returned -1 [0088.647] lstrcmpW (lpString1="..", lpString2="Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe") returned -1 [0088.647] lstrcmpiW (lpString1="windows", lpString2="Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe") returned 1 [0088.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.649] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe" [0088.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" [0088.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8aa8a70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.650] CloseHandle (hObject=0x378) returned 1 [0088.650] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.650] lstrcmpW (lpString1=".", lpString2="Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.650] lstrcmpW (lpString1="..", lpString2="Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.650] lstrcmpiW (lpString1="windows", lpString2="Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.652] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.652] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.652] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe" [0088.652] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.652] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ac0ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0088.653] CloseHandle (hObject=0x378) returned 1 [0088.653] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.653] lstrcmpW (lpString1=".", lpString2="Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe") returned -1 [0088.653] lstrcmpW (lpString1="..", lpString2="Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe") returned -1 [0088.653] lstrcmpiW (lpString1="windows", lpString2="Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe") returned 1 [0088.703] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.703] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.703] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe" [0088.703] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" [0088.703] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ad8b40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.704] CloseHandle (hObject=0x350) returned 1 [0088.704] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.704] lstrcmpW (lpString1=".", lpString2="Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe") returned -1 [0088.704] lstrcmpW (lpString1="..", lpString2="Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe") returned -1 [0088.704] lstrcmpiW (lpString1="windows", lpString2="Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe") returned 1 [0088.704] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.704] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.704] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe" [0088.704] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\*.*" [0088.704] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.705] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5cc0d60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.705] CloseHandle (hObject=0x350) returned 1 [0088.705] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.705] lstrcmpW (lpString1=".", lpString2="Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.705] lstrcmpW (lpString1="..", lpString2="Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.706] lstrcmpiW (lpString1="windows", lpString2="Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.706] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.706] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.706] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe" [0088.706] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.706] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.706] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d88180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.707] CloseHandle (hObject=0x350) returned 1 [0088.707] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.707] lstrcmpW (lpString1=".", lpString2="Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe") returned -1 [0088.707] lstrcmpW (lpString1="..", lpString2="Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe") returned -1 [0088.707] lstrcmpiW (lpString1="windows", lpString2="Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe") returned 1 [0088.707] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.707] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.707] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe" [0088.707] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\*.*" [0088.707] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.708] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2cd80d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.708] CloseHandle (hObject=0x350) returned 1 [0088.708] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.708] lstrcmpW (lpString1=".", lpString2="Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.709] lstrcmpW (lpString1="..", lpString2="Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.709] lstrcmpiW (lpString1="windows", lpString2="Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.711] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.711] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.711] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe" [0088.711] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.711] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.712] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8bf9020, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.712] CloseHandle (hObject=0x350) returned 1 [0088.712] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.713] lstrcmpW (lpString1=".", lpString2="Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.713] lstrcmpW (lpString1="..", lpString2="Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe") returned -1 [0088.713] lstrcmpiW (lpString1="windows", lpString2="Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe") returned 1 [0088.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.729] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe" [0088.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\*.*" [0088.729] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.730] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8c11088, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.730] CloseHandle (hObject=0x350) returned 1 [0088.731] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.731] lstrcmpW (lpString1=".", lpString2="Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe") returned -1 [0088.731] lstrcmpW (lpString1="..", lpString2="Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe") returned -1 [0088.731] lstrcmpiW (lpString1="windows", lpString2="Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe") returned 1 [0088.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.733] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe" [0088.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\*.*" [0088.733] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8c290f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.734] CloseHandle (hObject=0x350) returned 1 [0088.734] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.735] lstrcmpW (lpString1=".", lpString2="Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe") returned -1 [0088.735] lstrcmpW (lpString1="..", lpString2="Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe") returned -1 [0088.735] lstrcmpiW (lpString1="windows", lpString2="Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe") returned 1 [0088.737] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.737] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe" [0088.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*" [0088.737] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8c41158, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.739] CloseHandle (hObject=0x350) returned 1 [0088.739] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.739] lstrcmpW (lpString1=".", lpString2="Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe") returned -1 [0088.739] lstrcmpW (lpString1="..", lpString2="Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe") returned -1 [0088.739] lstrcmpiW (lpString1="windows", lpString2="Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe") returned 1 [0088.745] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0088.745] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0088.746] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe" [0088.746] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*" [0088.746] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0088.746] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8c591c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0088.747] CloseHandle (hObject=0x350) returned 1 [0088.747] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0088.747] lstrcmpW (lpString1=".", lpString2="Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe") returned -1 [0088.747] lstrcmpW (lpString1="..", lpString2="Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe") returned -1 [0088.747] lstrcmpiW (lpString1="windows", lpString2="Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe") returned 1 [0089.492] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.492] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe" [0089.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*" [0089.492] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8c71228, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.493] CloseHandle (hObject=0x344) returned 1 [0089.493] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.493] lstrcmpW (lpString1=".", lpString2="Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe") returned -1 [0089.493] lstrcmpW (lpString1="..", lpString2="Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe") returned -1 [0089.493] lstrcmpiW (lpString1="windows", lpString2="Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe") returned 1 [0089.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.496] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe" [0089.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*" [0089.496] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.496] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x108f0a50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.497] CloseHandle (hObject=0x344) returned 1 [0089.497] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.497] lstrcmpW (lpString1=".", lpString2="Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe") returned -1 [0089.497] lstrcmpW (lpString1="..", lpString2="Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe") returned -1 [0089.497] lstrcmpiW (lpString1="windows", lpString2="Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe") returned 1 [0089.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.499] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe" [0089.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0089.499] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.500] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10908ab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.500] CloseHandle (hObject=0x344) returned 1 [0089.500] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.500] lstrcmpW (lpString1=".", lpString2="Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.500] lstrcmpW (lpString1="..", lpString2="Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.500] lstrcmpiW (lpString1="windows", lpString2="Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.503] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe" [0089.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.503] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.503] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10920b20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.504] CloseHandle (hObject=0x344) returned 1 [0089.504] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.504] lstrcmpW (lpString1=".", lpString2="Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe") returned -1 [0089.504] lstrcmpW (lpString1="..", lpString2="Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe") returned -1 [0089.504] lstrcmpiW (lpString1="windows", lpString2="Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe") returned 1 [0089.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe" [0089.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\*.*" [0089.506] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.507] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10938b88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.507] CloseHandle (hObject=0x344) returned 1 [0089.507] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.507] lstrcmpW (lpString1=".", lpString2="Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe") returned -1 [0089.507] lstrcmpW (lpString1="..", lpString2="Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe") returned -1 [0089.507] lstrcmpiW (lpString1="windows", lpString2="Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe") returned 1 [0089.510] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.510] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.510] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe" [0089.510] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*" [0089.510] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.510] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10950bf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.511] CloseHandle (hObject=0x344) returned 1 [0089.511] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.511] lstrcmpW (lpString1=".", lpString2="Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.511] lstrcmpW (lpString1="..", lpString2="Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.511] lstrcmpiW (lpString1="windows", lpString2="Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe" [0089.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.514] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.514] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10968c58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.515] CloseHandle (hObject=0x344) returned 1 [0089.515] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.515] lstrcmpW (lpString1=".", lpString2="Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c") returned -1 [0089.515] lstrcmpW (lpString1="..", lpString2="Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c") returned -1 [0089.515] lstrcmpiW (lpString1="windows", lpString2="Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c") returned 1 [0089.517] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.517] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c" [0089.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" [0089.517] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.517] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10980cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.518] CloseHandle (hObject=0x344) returned 1 [0089.518] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.518] lstrcmpW (lpString1=".", lpString2="Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c") returned -1 [0089.518] lstrcmpW (lpString1="..", lpString2="Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c") returned -1 [0089.518] lstrcmpiW (lpString1="windows", lpString2="Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c") returned 1 [0089.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c" [0089.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0089.521] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10998d28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.522] CloseHandle (hObject=0x344) returned 1 [0089.522] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.522] lstrcmpW (lpString1=".", lpString2="Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe") returned -1 [0089.522] lstrcmpW (lpString1="..", lpString2="Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe") returned -1 [0089.522] lstrcmpiW (lpString1="windows", lpString2="Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe") returned 1 [0089.524] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.525] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe" [0089.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0089.525] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x109b0d90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.526] CloseHandle (hObject=0x344) returned 1 [0089.526] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.526] lstrcmpW (lpString1=".", lpString2="Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe") returned -1 [0089.526] lstrcmpW (lpString1="..", lpString2="Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe") returned -1 [0089.526] lstrcmpiW (lpString1="windows", lpString2="Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe") returned 1 [0089.529] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.529] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.813] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe" [0089.813] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0089.813] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.813] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x109c8df8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.814] CloseHandle (hObject=0x384) returned 1 [0089.814] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.814] lstrcmpW (lpString1=".", lpString2="Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe") returned -1 [0089.814] lstrcmpW (lpString1="..", lpString2="Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe") returned -1 [0089.814] lstrcmpiW (lpString1="windows", lpString2="Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe") returned 1 [0089.817] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.817] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe" [0089.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0089.817] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x109f8ec8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.817] CloseHandle (hObject=0x384) returned 1 [0089.818] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.818] lstrcmpW (lpString1=".", lpString2="Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe") returned -1 [0089.818] lstrcmpW (lpString1="..", lpString2="Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe") returned -1 [0089.818] lstrcmpiW (lpString1="windows", lpString2="Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe") returned 1 [0089.820] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.820] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe" [0089.820] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0089.820] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.820] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a10f30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.821] CloseHandle (hObject=0x384) returned 1 [0089.821] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.821] lstrcmpW (lpString1=".", lpString2="Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe") returned -1 [0089.821] lstrcmpW (lpString1="..", lpString2="Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe") returned -1 [0089.821] lstrcmpiW (lpString1="windows", lpString2="Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe") returned 1 [0089.823] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.824] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.824] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe" [0089.824] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0089.824] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.824] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a28f98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.824] CloseHandle (hObject=0x384) returned 1 [0089.824] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.825] lstrcmpW (lpString1=".", lpString2="Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.825] lstrcmpW (lpString1="..", lpString2="Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.825] lstrcmpiW (lpString1="windows", lpString2="Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.828] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.828] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.828] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe" [0089.828] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.828] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.828] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a41000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.829] CloseHandle (hObject=0x384) returned 1 [0089.829] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.829] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe") returned -1 [0089.829] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe") returned -1 [0089.829] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe") returned 1 [0089.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe" [0089.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0089.832] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.832] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a59068, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.833] CloseHandle (hObject=0x384) returned 1 [0089.833] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.833] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.833] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.833] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.836] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.836] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe" [0089.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.836] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.836] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a710d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.837] CloseHandle (hObject=0x384) returned 1 [0089.837] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.837] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe") returned -1 [0089.837] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe") returned -1 [0089.837] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe") returned 1 [0089.838] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.838] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe" [0089.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0089.839] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.839] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a89138, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.839] CloseHandle (hObject=0x384) returned 1 [0089.840] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.840] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.840] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.840] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.843] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.843] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.843] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe" [0089.843] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.843] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.843] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10aa11a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.844] CloseHandle (hObject=0x384) returned 1 [0089.844] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.844] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.844] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.844] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.847] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.847] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.847] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe" [0089.847] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.847] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.847] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ab9208, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.848] CloseHandle (hObject=0x384) returned 1 [0089.848] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.848] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe") returned -1 [0089.848] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe") returned -1 [0089.848] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe") returned 1 [0089.851] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe" [0089.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0089.851] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.851] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ad1270, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.852] CloseHandle (hObject=0x384) returned 1 [0089.852] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.852] lstrcmpW (lpString1=".", lpString2="microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe") returned -1 [0089.852] lstrcmpW (lpString1="..", lpString2="microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe") returned -1 [0089.852] lstrcmpiW (lpString1="windows", lpString2="microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe") returned 1 [0089.855] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.855] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe" [0089.855] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0089.855] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.855] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ae92d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0089.856] CloseHandle (hObject=0x384) returned 1 [0089.856] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.856] lstrcmpW (lpString1=".", lpString2="microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.856] lstrcmpW (lpString1="..", lpString2="microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.856] lstrcmpiW (lpString1="windows", lpString2="microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.923] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.923] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.923] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe" [0089.923] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.923] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10b01340, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.924] CloseHandle (hObject=0x344) returned 1 [0089.924] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.924] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.924] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.924] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.927] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.927] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.927] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe" [0089.927] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.927] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.927] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10b193a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.928] CloseHandle (hObject=0x344) returned 1 [0089.928] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.928] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe") returned -1 [0089.928] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe") returned -1 [0089.929] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe") returned 1 [0089.931] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.932] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.932] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe" [0089.932] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*" [0089.932] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10b31410, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.933] CloseHandle (hObject=0x344) returned 1 [0089.933] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.933] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe") returned -1 [0089.933] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe") returned -1 [0089.933] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe") returned 1 [0089.941] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.941] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.941] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe" [0089.941] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*" [0089.941] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10b49478, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.942] CloseHandle (hObject=0x344) returned 1 [0089.942] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.942] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.942] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.942] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.945] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.945] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.945] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe" [0089.945] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.945] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.945] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10b614e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0089.946] CloseHandle (hObject=0x344) returned 1 [0089.946] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.946] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe") returned -1 [0089.946] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe") returned -1 [0089.947] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe") returned 1 [0089.949] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.949] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.949] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe" [0089.950] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\*.*" [0089.950] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10b79548, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x238 [0089.976] CloseHandle (hObject=0x238) returned 1 [0089.976] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.976] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.976] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe") returned -1 [0089.976] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe") returned 1 [0089.979] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.979] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.979] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe" [0089.979] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" [0089.979] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.980] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10b915b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x238 [0089.980] CloseHandle (hObject=0x238) returned 1 [0089.980] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0089.980] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe") returned -1 [0089.980] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe") returned -1 [0089.980] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe") returned 1 [0089.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0089.984] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0089.984] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe" [0089.984] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\*.*" [0089.984] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0089.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ba9618, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.202] CloseHandle (hObject=0x2a8) returned 1 [0090.202] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.202] lstrcmpW (lpString1=".", lpString2="Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe") returned -1 [0090.202] lstrcmpW (lpString1="..", lpString2="Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe") returned -1 [0090.202] lstrcmpiW (lpString1="windows", lpString2="Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe") returned 1 [0090.202] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe" [0090.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*" [0090.202] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.203] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b38740, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.204] CloseHandle (hObject=0x2a8) returned 1 [0090.204] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.204] lstrcmpW (lpString1=".", lpString2="Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe") returned -1 [0090.204] lstrcmpW (lpString1="..", lpString2="Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe") returned -1 [0090.204] lstrcmpiW (lpString1="windows", lpString2="Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe") returned 1 [0090.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.204] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe" [0090.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" [0090.204] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x108789d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.205] CloseHandle (hObject=0x2a8) returned 1 [0090.205] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.205] lstrcmpW (lpString1=".", lpString2="Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe") returned -1 [0090.205] lstrcmpW (lpString1="..", lpString2="Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe") returned -1 [0090.205] lstrcmpiW (lpString1="windows", lpString2="Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe") returned 1 [0090.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe" [0090.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\*.*" [0090.205] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a38320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.206] CloseHandle (hObject=0x2a8) returned 1 [0090.206] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.206] lstrcmpW (lpString1=".", lpString2="Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe") returned -1 [0090.206] lstrcmpW (lpString1="..", lpString2="Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe") returned -1 [0090.206] lstrcmpiW (lpString1="windows", lpString2="Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe") returned 1 [0090.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.210] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe" [0090.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" [0090.210] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.210] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c518f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.211] CloseHandle (hObject=0x2a8) returned 1 [0090.211] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.211] lstrcmpW (lpString1=".", lpString2="Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe") returned -1 [0090.211] lstrcmpW (lpString1="..", lpString2="Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe") returned -1 [0090.211] lstrcmpiW (lpString1="windows", lpString2="Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe") returned 1 [0090.214] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.214] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.214] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe" [0090.214] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0090.214] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c69958, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.215] CloseHandle (hObject=0x2a8) returned 1 [0090.215] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.215] lstrcmpW (lpString1=".", lpString2="Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe") returned -1 [0090.215] lstrcmpW (lpString1="..", lpString2="Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe") returned -1 [0090.215] lstrcmpiW (lpString1="windows", lpString2="Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe") returned 1 [0090.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe" [0090.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\*.*" [0090.219] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c819c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.220] CloseHandle (hObject=0x2a8) returned 1 [0090.220] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.220] lstrcmpW (lpString1=".", lpString2="Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe") returned -1 [0090.221] lstrcmpW (lpString1="..", lpString2="Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe") returned -1 [0090.221] lstrcmpiW (lpString1="windows", lpString2="Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe") returned 1 [0090.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe" [0090.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" [0090.224] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c99a28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.225] CloseHandle (hObject=0x2a8) returned 1 [0090.225] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.225] lstrcmpW (lpString1=".", lpString2="Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe") returned -1 [0090.225] lstrcmpW (lpString1="..", lpString2="Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe") returned -1 [0090.225] lstrcmpiW (lpString1="windows", lpString2="Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe") returned 1 [0090.228] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.228] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe" [0090.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0090.228] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.228] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10cb1a90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.229] CloseHandle (hObject=0x2a8) returned 1 [0090.229] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 1 [0090.229] lstrcmpW (lpString1=".", lpString2="Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe") returned -1 [0090.229] lstrcmpW (lpString1="..", lpString2="Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe") returned -1 [0090.229] lstrcmpiW (lpString1="windows", lpString2="Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe") returned 1 [0090.232] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\*.*" [0090.232] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\*.*") returned 36 [0090.232] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\", lpString2="Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe" [0090.232] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\*.*" [0090.232] GlobalMemoryStatus (in: lpBuffer=0x68cfd08 | out: lpBuffer=0x68cfd08) [0090.233] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10cc9af8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.233] CloseHandle (hObject=0x2a8) returned 1 [0090.234] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x68cfd28 | out: lpFindFileData=0x68cfd28) returned 0 [0090.234] FindClose (in: hFindFile=0x5c8ed0 | out: hFindFile=0x5c8ed0) returned 1 Thread: id = 111 os_tid = 0xec8 [0088.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*", lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 0x5c8e90 [0088.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.418] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0088.493] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0088.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.493] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0088.493] lstrcmpW (lpString1=".", lpString2="Configuration") returned -1 [0088.493] lstrcmpW (lpString1="..", lpString2="Configuration") returned -1 [0088.493] lstrcmpiW (lpString1="windows", lpString2="Configuration") returned 1 [0088.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*" [0088.493] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*") returned 42 [0088.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\", lpString2="Configuration" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration" [0088.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*" [0088.494] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ded18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0088.494] CloseHandle (hObject=0x37c) returned 1 [0088.494] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0088.494] lstrcmpW (lpString1=".", lpString2="Modules") returned -1 [0088.494] lstrcmpW (lpString1="..", lpString2="Modules") returned -1 [0088.494] lstrcmpiW (lpString1="windows", lpString2="Modules") returned 1 [0088.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*" [0088.496] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\*.*") returned 42 [0088.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\", lpString2="Modules" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules" [0088.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" [0088.497] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ce0d68, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0088.511] CloseHandle (hObject=0x37c) returned 1 [0088.511] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 0 [0088.511] FindClose (in: hFindFile=0x5c8e90 | out: hFindFile=0x5c8e90) returned 1 Thread: id = 112 os_tid = 0xe5c [0090.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 0x5c8a90 [0090.434] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.434] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 1 [0090.434] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.434] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.434] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 1 [0090.434] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" [0090.434] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned 46 [0090.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\How To Restore Files.hta" [0090.434] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\designer\\how to restore files.hta")) returned 0xffffffff [0090.434] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\designer\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0090.465] WriteFile (in: hFile=0x36c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6b4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6b4fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.466] CloseHandle (hObject=0x36c) returned 1 [0090.466] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.467] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MSADDNDR.OLB") returned -1 [0090.467] lstrlenW (lpString="MSADDNDR.OLB") returned 12 [0090.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" [0090.467] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned 46 [0090.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\", lpString2="MSADDNDR.OLB" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" [0090.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" [0090.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB id-Br3n0G72wUb8CejT.LyaS" [0090.467] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb id-br3n0g72wub8cejt.lyas")) returned 1 [0090.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0090.468] CreateFileMappingA (hFile=0x36c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2ec [0090.468] CryptAcquireContextA (in: phProv=0x6b4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6b4fce4*=0x5d1580) returned 1 [0090.469] CryptGenKey (in: hProv=0x5d1580, Algid=0x6610, dwFlags=0x1, phKey=0x6b4fce0 | out: phKey=0x6b4fce0*=0x5c84d0) returned 1 [0090.469] CryptExportKey (in: hKey=0x5c84d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6b4fbdc, pdwDataLen=0x6b4fcdc | out: pbData=0x6b4fbdc*, pdwDataLen=0x6b4fcdc*=0x2c) returned 1 [0090.469] MapViewOfFile (hFileMappingObject=0x2ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ea0) returned 0x30c0000 [0090.988] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6b4fbdc*, pdwDataLen=0x6b4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x6b4fbdc*, pdwDataLen=0x6b4fcf0*=0x100) returned 1 [0091.060] CryptEncrypt (in: hKey=0x5c84d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30c0000, pdwDataLen=0x6b4fcdc*=0x5ea0, dwBufLen=0x5ea0 | out: pbData=0x30c0000*, pdwDataLen=0x6b4fcdc*=0x5ea0) returned 1 [0091.069] UnmapViewOfFile (lpBaseAddress=0x30c0000) returned 1 [0091.069] CloseHandle (hObject=0x2ec) returned 1 [0091.069] CryptDestroyKey (hKey=0x5c84d0) returned 1 [0091.069] CryptReleaseContext (hProv=0x5d1580, dwFlags=0x0) returned 1 [0091.069] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.069] WriteFile (in: hFile=0x36c, lpBuffer=0x6b4fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6b4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x6b4fbdc*, lpNumberOfBytesWritten=0x6b4fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.070] WriteFile (in: hFile=0x36c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6b4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x6b4fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.070] CloseHandle (hObject=0x36c) returned 1 [0091.072] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.072] FindNextFileW (in: hFindFile=0x5c8a90, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 0 [0091.072] FindClose (in: hFindFile=0x5c8a90 | out: hFindFile=0x5c8a90) returned 1 Thread: id = 113 os_tid = 0x114 [0090.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*", lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 0x5c8b10 [0090.435] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.435] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.435] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.435] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.435] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.435] lstrcmpW (lpString1=".", lpString2="ClickToRun") returned -1 [0090.436] lstrcmpW (lpString1="..", lpString2="ClickToRun") returned -1 [0090.436] lstrcmpiW (lpString1="windows", lpString2="ClickToRun") returned 1 [0090.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.436] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="ClickToRun" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun" [0090.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*" [0090.436] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ae05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.436] CloseHandle (hObject=0x2ec) returned 1 [0090.437] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.437] lstrcmpW (lpString1=".", lpString2="ink") returned -1 [0090.437] lstrcmpW (lpString1="..", lpString2="ink") returned -1 [0090.437] lstrcmpiW (lpString1="windows", lpString2="ink") returned 1 [0090.437] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.437] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="ink" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink" [0090.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0090.437] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10820958, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.438] CloseHandle (hObject=0x2ec) returned 1 [0090.438] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.438] lstrcmpW (lpString1=".", lpString2="MSInfo") returned -1 [0090.438] lstrcmpW (lpString1="..", lpString2="MSInfo") returned -1 [0090.438] lstrcmpiW (lpString1="windows", lpString2="MSInfo") returned 1 [0090.438] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.438] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="MSInfo" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo" [0090.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*" [0090.438] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.438] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x108d0a48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.439] CloseHandle (hObject=0x2ec) returned 1 [0090.439] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.439] lstrcmpW (lpString1=".", lpString2="OFFICE16") returned -1 [0090.439] lstrcmpW (lpString1="..", lpString2="OFFICE16") returned -1 [0090.439] lstrcmpiW (lpString1="windows", lpString2="OFFICE16") returned 1 [0090.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="OFFICE16" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16" [0090.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*" [0090.439] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.439] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3da01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.440] CloseHandle (hObject=0x2ec) returned 1 [0090.440] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.440] lstrcmpW (lpString1=".", lpString2="OfficeSoftwareProtectionPlatform") returned -1 [0090.440] lstrcmpW (lpString1="..", lpString2="OfficeSoftwareProtectionPlatform") returned -1 [0090.440] lstrcmpiW (lpString1="windows", lpString2="OfficeSoftwareProtectionPlatform") returned 1 [0090.440] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.440] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="OfficeSoftwareProtectionPlatform" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform" [0090.440] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\*.*" [0090.441] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.441] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ee8070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.441] CloseHandle (hObject=0x2ec) returned 1 [0090.442] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.442] lstrcmpW (lpString1=".", lpString2="Source Engine") returned -1 [0090.442] lstrcmpW (lpString1="..", lpString2="Source Engine") returned -1 [0090.442] lstrcmpiW (lpString1="windows", lpString2="Source Engine") returned 1 [0090.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="Source Engine" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine" [0090.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*" [0090.442] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.442] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x107a88d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.443] CloseHandle (hObject=0x2ec) returned 1 [0090.443] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.443] lstrcmpW (lpString1=".", lpString2="Stationery") returned -1 [0090.443] lstrcmpW (lpString1="..", lpString2="Stationery") returned -1 [0090.443] lstrcmpiW (lpString1="windows", lpString2="Stationery") returned 1 [0090.443] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="Stationery" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery" [0090.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0090.443] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.443] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b106c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.444] CloseHandle (hObject=0x2ec) returned 1 [0090.444] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.444] lstrcmpW (lpString1=".", lpString2="TextConv") returned -1 [0090.444] lstrcmpW (lpString1="..", lpString2="TextConv") returned -1 [0090.444] lstrcmpiW (lpString1="windows", lpString2="TextConv") returned 1 [0090.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="TextConv" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv" [0090.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\*.*" [0090.444] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c601e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.445] CloseHandle (hObject=0x2ec) returned 1 [0090.445] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.445] lstrcmpW (lpString1=".", lpString2="Triedit") returned -1 [0090.445] lstrcmpW (lpString1="..", lpString2="Triedit") returned -1 [0090.445] lstrcmpiW (lpString1="windows", lpString2="Triedit") returned 1 [0090.446] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.446] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.446] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="Triedit" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit" [0090.446] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\*.*" [0090.446] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c78250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.447] CloseHandle (hObject=0x2ec) returned 1 [0090.447] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.447] lstrcmpW (lpString1=".", lpString2="VC") returned -1 [0090.447] lstrcmpW (lpString1="..", lpString2="VC") returned -1 [0090.447] lstrcmpiW (lpString1="windows", lpString2="VC") returned 1 [0090.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="VC" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC" [0090.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*" [0090.451] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10cf9bc8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.453] CloseHandle (hObject=0x2ec) returned 1 [0090.453] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.453] lstrcmpW (lpString1=".", lpString2="VGX") returned -1 [0090.453] lstrcmpW (lpString1="..", lpString2="VGX") returned -1 [0090.453] lstrcmpiW (lpString1="windows", lpString2="VGX") returned 1 [0090.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="VGX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX" [0090.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*" [0090.457] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.457] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10d11c30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.459] CloseHandle (hObject=0x2ec) returned 1 [0090.459] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0090.459] lstrcmpW (lpString1=".", lpString2="VSTO") returned -1 [0090.459] lstrcmpW (lpString1="..", lpString2="VSTO") returned -1 [0090.459] lstrcmpiW (lpString1="windows", lpString2="VSTO") returned 1 [0090.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0090.463] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned 54 [0090.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\", lpString2="VSTO" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO" [0090.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*" [0090.463] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0090.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10d29c98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0090.464] CloseHandle (hObject=0x2ec) returned 1 [0090.464] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 0 [0090.464] FindClose (in: hFindFile=0x5c8b10 | out: hFindFile=0x5c8b10) returned 1 Thread: id = 114 os_tid = 0xef4 [0090.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*", lpFindFileData=0x6dcfd28 | out: lpFindFileData=0x6dcfd28) returned 0x5c8b10 [0090.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.473] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6dcfd28 | out: lpFindFileData=0x6dcfd28) returned 1 [0090.473] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.473] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.473] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6dcfd28 | out: lpFindFileData=0x6dcfd28) returned 1 [0090.473] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" [0090.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned 46 [0090.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\How To Restore Files.hta" [0090.473] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\services\\how to restore files.hta")) returned 0xffffffff [0090.473] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\services\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0090.474] WriteFile (in: hFile=0x22c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6dcfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6dcfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.475] CloseHandle (hObject=0x22c) returned 1 [0090.475] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.476] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="verisign.bmp") returned -1 [0090.476] lstrlenW (lpString="verisign.bmp") returned 12 [0090.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" [0090.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned 46 [0090.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\", lpString2="verisign.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" [0090.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" [0090.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS" [0090.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\services\\verisign.bmp id-br3n0g72wub8cejt.lyas")) returned 1 [0091.073] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\services\\verisign.bmp id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0091.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\services\\verisign.bmp id-br3n0g72wub8cejt.lyas"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 1 [0091.073] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x6dcfd28 | out: lpFindFileData=0x6dcfd28) returned 0 [0091.074] FindClose (in: hFindFile=0x5c8b10 | out: hFindFile=0x5c8b10) returned 1 Thread: id = 115 os_tid = 0xda0 [0090.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*", lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 0x5c8b50 [0090.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.477] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0090.477] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.477] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.477] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0090.477] lstrcmpW (lpString1=".", lpString2="ado") returned -1 [0090.477] lstrcmpW (lpString1="..", lpString2="ado") returned -1 [0090.477] lstrcmpiW (lpString1="windows", lpString2="ado") returned 1 [0090.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0090.477] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0090.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="ado" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado" [0090.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0090.477] GlobalMemoryStatus (in: lpBuffer=0x6f0fd08 | out: lpBuffer=0x6f0fd08) [0090.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e78140, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0090.478] CloseHandle (hObject=0x2a8) returned 1 [0090.478] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0090.478] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0090.478] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0090.478] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta" [0090.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\how to restore files.hta")) returned 0xffffffff [0090.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0090.479] WriteFile (in: hFile=0x2a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6f0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6f0fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.480] CloseHandle (hObject=0x2a8) returned 1 [0090.480] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.480] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DirectDB.dll") returned 1 [0090.480] lstrlenW (lpString="DirectDB.dll") returned 12 [0090.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0090.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0090.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="DirectDB.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" [0090.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" [0090.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll id-Br3n0G72wUb8CejT.LyaS" [0090.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files\\common files\\system\\directdb.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\directdb.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0090.987] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0090.987] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0090.987] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0090.987] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0091.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0091.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0091.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US" [0091.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*" [0091.074] GlobalMemoryStatus (in: lpBuffer=0x6f0fd08 | out: lpBuffer=0x6f0fd08) [0091.074] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e901a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x364 [0091.075] CloseHandle (hObject=0x364) returned 1 [0091.075] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0091.075] lstrcmpW (lpString1=".", lpString2="msadc") returned -1 [0091.075] lstrcmpW (lpString1="..", lpString2="msadc") returned -1 [0091.075] lstrcmpiW (lpString1="windows", lpString2="msadc") returned 1 [0091.075] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0091.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0091.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="msadc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc" [0091.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0091.075] GlobalMemoryStatus (in: lpBuffer=0x6f0fd08 | out: lpBuffer=0x6f0fd08) [0091.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59d8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x364 [0091.077] CloseHandle (hObject=0x364) returned 1 [0091.077] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0091.077] lstrcmpW (lpString1=".", lpString2="Ole DB") returned -1 [0091.077] lstrcmpW (lpString1="..", lpString2="Ole DB") returned -1 [0091.077] lstrcmpiW (lpString1="windows", lpString2="Ole DB") returned 1 [0091.077] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0091.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0091.077] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="Ole DB" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB" [0091.077] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0091.077] GlobalMemoryStatus (in: lpBuffer=0x6f0fd08 | out: lpBuffer=0x6f0fd08) [0091.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b507a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x364 [0091.078] CloseHandle (hObject=0x364) returned 1 [0091.078] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0091.078] lstrcpyW (in: lpString1=0x3db8250, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0091.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0091.078] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta" [0091.078] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\how to restore files.hta")) returned 0x1 [0091.078] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wab32.dll") returned -1 [0091.078] lstrlenW (lpString="wab32.dll") returned 9 [0091.078] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0091.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0091.078] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="wab32.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" [0091.078] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" [0091.078] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll id-Br3n0G72wUb8CejT.LyaS" [0091.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files\\common files\\system\\wab32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\wab32.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.079] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0091.079] lstrcpyW (in: lpString1=0x3db8250, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0091.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0091.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta" [0091.079] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\how to restore files.hta")) returned 0x1 [0091.079] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wab32res.dll") returned -1 [0091.079] lstrlenW (lpString="wab32res.dll") returned 12 [0091.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0091.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0091.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="wab32res.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" [0091.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" [0091.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll id-Br3n0G72wUb8CejT.LyaS" [0091.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files\\common files\\system\\wab32res.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\wab32res.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.080] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 0 [0091.080] FindClose (in: hFindFile=0x5c8b50 | out: hFindFile=0x5c8b50) returned 1 Thread: id = 116 os_tid = 0xda4 [0090.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*", lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 0x5c8b90 [0090.481] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.481] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0090.481] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.481] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0090.481] lstrcmpW (lpString1=".", lpString2="Esl") returned -1 [0090.481] lstrcmpW (lpString1="..", lpString2="Esl") returned -1 [0090.481] lstrcmpiW (lpString1="windows", lpString2="Esl") returned 1 [0090.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" [0090.485] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned 54 [0090.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\", lpString2="Esl" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl" [0090.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*" [0090.485] GlobalMemoryStatus (in: lpBuffer=0x2f7fd08 | out: lpBuffer=0x2f7fd08) [0090.485] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10d41d00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0090.486] CloseHandle (hObject=0x28c) returned 1 [0090.486] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0090.486] lstrcmpW (lpString1=".", lpString2="Reader") returned -1 [0090.486] lstrcmpW (lpString1="..", lpString2="Reader") returned -1 [0090.486] lstrcmpiW (lpString1="windows", lpString2="Reader") returned 1 [0090.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" [0090.489] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned 54 [0090.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\", lpString2="Reader" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" [0090.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*" [0090.489] GlobalMemoryStatus (in: lpBuffer=0x2f7fd08 | out: lpBuffer=0x2f7fd08) [0090.490] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10d59d68, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0090.490] CloseHandle (hObject=0x28c) returned 1 [0090.490] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0090.491] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" [0090.491] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned 54 [0090.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\How To Restore Files.hta" [0090.491] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\how to restore files.hta")) returned 0xffffffff [0090.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0090.491] WriteFile (in: hFile=0x28c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2f7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2f7fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.492] CloseHandle (hObject=0x28c) returned 1 [0090.493] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.493] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ReadMe.htm") returned -1 [0090.493] lstrlenW (lpString="ReadMe.htm") returned 10 [0090.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" [0090.493] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned 54 [0090.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\", lpString2="ReadMe.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm" [0090.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm" [0090.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm id-Br3n0G72wUb8CejT.LyaS" [0090.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\readme.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\readme.htm id-br3n0g72wub8cejt.lyas")) returned 1 [0090.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\readme.htm id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0090.494] CreateFileMappingA (hFile=0x28c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x304 [0090.494] CryptAcquireContextA (in: phProv=0x2f7fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2f7fce4*=0x5d0d00) returned 1 [0090.495] CryptGenKey (in: hProv=0x5d0d00, Algid=0x6610, dwFlags=0x1, phKey=0x2f7fce0 | out: phKey=0x2f7fce0*=0x5c8750) returned 1 [0090.495] CryptExportKey (in: hKey=0x5c8750, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2f7fbdc, pdwDataLen=0x2f7fcdc | out: pbData=0x2f7fbdc*, pdwDataLen=0x2f7fcdc*=0x2c) returned 1 [0090.495] MapViewOfFile (hFileMappingObject=0x304, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x40e0) returned 0x31d0000 [0093.210] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f7fbdc*, pdwDataLen=0x2f7fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x2f7fbdc*, pdwDataLen=0x2f7fcf0*=0x100) returned 1 [0093.211] CryptEncrypt (in: hKey=0x5c8750, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000, pdwDataLen=0x2f7fcdc*=0x40e0, dwBufLen=0x40e0 | out: pbData=0x31d0000*, pdwDataLen=0x2f7fcdc*=0x40e0) returned 1 [0094.181] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0094.181] CloseHandle (hObject=0x304) returned 1 [0094.181] CryptDestroyKey (hKey=0x5c8750) returned 1 [0094.181] CryptReleaseContext (hProv=0x5d0d00, dwFlags=0x0) returned 1 [0094.181] SetFilePointerEx (in: hFile=0x28c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.182] WriteFile (in: hFile=0x28c, lpBuffer=0x2f7fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2f7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x2f7fbdc*, lpNumberOfBytesWritten=0x2f7fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.412] WriteFile (in: hFile=0x28c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2f7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x2f7fcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.413] CloseHandle (hObject=0x28c) returned 1 [0094.414] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\ReadMe.htm id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.508] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0094.508] lstrcmpW (lpString1=".", lpString2="Resource") returned -1 [0094.508] lstrcmpW (lpString1="..", lpString2="Resource") returned -1 [0094.508] lstrcmpiW (lpString1="windows", lpString2="Resource") returned 1 [0095.346] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" [0095.346] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned 54 [0095.346] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\", lpString2="Resource" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource" [0095.346] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*" [0095.346] GlobalMemoryStatus (in: lpBuffer=0x2f7fd08 | out: lpBuffer=0x2f7fd08) [0095.346] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5f6d80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0095.347] CloseHandle (hObject=0x344) returned 1 [0095.347] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 1 [0095.347] lstrcmpW (lpString1=".", lpString2="Setup Files") returned -1 [0095.347] lstrcmpW (lpString1="..", lpString2="Setup Files") returned -1 [0095.347] lstrcmpiW (lpString1="windows", lpString2="Setup Files") returned 1 [0095.347] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*" [0095.347] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\*.*") returned 54 [0095.347] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\", lpString2="Setup Files" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files" [0095.347] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\*.*" [0095.347] GlobalMemoryStatus (in: lpBuffer=0x2f7fd08 | out: lpBuffer=0x2f7fd08) [0095.348] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0095.348] CloseHandle (hObject=0x344) returned 1 [0095.348] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x2f7fd28 | out: lpFindFileData=0x2f7fd28) returned 0 [0095.349] FindClose (in: hFindFile=0x5c8b90 | out: hFindFile=0x5c8b90) returned 1 Thread: id = 117 os_tid = 0xf94 [0090.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*", lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 0x5c8890 [0090.543] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.543] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0090.543] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.543] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0090.543] lstrcmpW (lpString1=".", lpString2="Acrobat") returned -1 [0090.543] lstrcmpW (lpString1="..", lpString2="Acrobat") returned -1 [0090.543] lstrcmpiW (lpString1="windows", lpString2="Acrobat") returned 1 [0090.546] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0090.546] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned 49 [0090.546] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\", lpString2="Acrobat" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat" [0090.546] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*" [0090.546] GlobalMemoryStatus (in: lpBuffer=0x30bfd08 | out: lpBuffer=0x30bfd08) [0090.546] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10d75dd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.547] CloseHandle (hObject=0x344) returned 1 [0090.547] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0090.548] lstrcmpW (lpString1=".", lpString2="ARM") returned -1 [0090.548] lstrcmpW (lpString1="..", lpString2="ARM") returned -1 [0090.548] lstrcmpiW (lpString1="windows", lpString2="ARM") returned 1 [0090.551] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0090.551] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned 49 [0090.551] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\", lpString2="ARM" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM" [0090.551] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*" [0090.551] GlobalMemoryStatus (in: lpBuffer=0x30bfd08 | out: lpBuffer=0x30bfd08) [0090.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10d8de40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.552] CloseHandle (hObject=0x344) returned 1 [0090.552] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0090.552] lstrcmpW (lpString1=".", lpString2="HelpCfg") returned -1 [0090.552] lstrcmpW (lpString1="..", lpString2="HelpCfg") returned -1 [0090.552] lstrcmpiW (lpString1="windows", lpString2="HelpCfg") returned 1 [0090.555] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0090.555] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned 49 [0090.555] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\", lpString2="HelpCfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg" [0090.555] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0090.555] GlobalMemoryStatus (in: lpBuffer=0x30bfd08 | out: lpBuffer=0x30bfd08) [0090.555] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10da5ea8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.556] CloseHandle (hObject=0x344) returned 1 [0090.556] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0090.556] lstrcmpW (lpString1=".", lpString2="Reader") returned -1 [0090.556] lstrcmpW (lpString1="..", lpString2="Reader") returned -1 [0090.556] lstrcmpiW (lpString1="windows", lpString2="Reader") returned 1 [0090.559] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0090.559] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned 49 [0090.559] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\", lpString2="Reader" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader" [0090.559] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\*.*" [0090.559] GlobalMemoryStatus (in: lpBuffer=0x30bfd08 | out: lpBuffer=0x30bfd08) [0090.561] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10dbdf10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.561] CloseHandle (hObject=0x344) returned 1 [0090.562] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 0 [0090.562] FindClose (in: hFindFile=0x5c8890 | out: hFindFile=0x5c8890) returned 1 Thread: id = 118 os_tid = 0xf98 [0090.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*", lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 0x5c8890 [0090.564] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.564] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 1 [0090.564] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.564] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 1 [0090.564] lstrcmpW (lpString1=".", lpString2="Java Update") returned -1 [0090.564] lstrcmpW (lpString1="..", lpString2="Java Update") returned -1 [0090.564] lstrcmpiW (lpString1="windows", lpString2="Java Update") returned 1 [0090.564] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*" [0090.564] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*") returned 48 [0090.564] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\", lpString2="Java Update" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update" [0090.564] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0090.564] GlobalMemoryStatus (in: lpBuffer=0x347fd08 | out: lpBuffer=0x347fd08) [0090.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d70118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.565] CloseHandle (hObject=0x344) returned 1 [0090.565] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 0 [0090.565] FindClose (in: hFindFile=0x5c8890 | out: hFindFile=0x5c8890) returned 1 Thread: id = 119 os_tid = 0xf9c [0090.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*", lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 0x5c8890 [0090.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.566] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.566] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.566] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.567] lstrcmpW (lpString1=".", lpString2="DAO") returned -1 [0090.567] lstrcmpW (lpString1="..", lpString2="DAO") returned -1 [0090.567] lstrcmpiW (lpString1="windows", lpString2="DAO") returned 1 [0090.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.567] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="DAO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO" [0090.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*" [0090.567] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.567] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.568] CloseHandle (hObject=0x344) returned 1 [0090.568] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.568] lstrcmpW (lpString1=".", lpString2="Ink") returned -1 [0090.568] lstrcmpW (lpString1="..", lpString2="Ink") returned -1 [0090.568] lstrcmpiW (lpString1="windows", lpString2="Ink") returned 1 [0090.571] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.571] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.571] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="Ink" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink" [0090.571] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0090.571] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.571] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10dd5f78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.572] CloseHandle (hObject=0x344) returned 1 [0090.572] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.572] lstrcmpW (lpString1=".", lpString2="MSEnv") returned -1 [0090.572] lstrcmpW (lpString1="..", lpString2="MSEnv") returned -1 [0090.572] lstrcmpiW (lpString1="windows", lpString2="MSEnv") returned 1 [0090.575] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.575] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.575] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="MSEnv" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv" [0090.575] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\*.*" [0090.575] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.576] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10dedfe0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.577] CloseHandle (hObject=0x344) returned 1 [0090.577] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.577] lstrcmpW (lpString1=".", lpString2="MSInfo") returned -1 [0090.577] lstrcmpW (lpString1="..", lpString2="MSInfo") returned -1 [0090.577] lstrcmpiW (lpString1="windows", lpString2="MSInfo") returned 1 [0090.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.580] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="MSInfo" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo" [0090.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*" [0090.581] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.581] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e06048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.581] CloseHandle (hObject=0x344) returned 1 [0090.582] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.582] lstrcmpW (lpString1=".", lpString2="Stationery") returned -1 [0090.582] lstrcmpW (lpString1="..", lpString2="Stationery") returned -1 [0090.582] lstrcmpiW (lpString1="windows", lpString2="Stationery") returned 1 [0090.585] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.585] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.585] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="Stationery" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery" [0090.585] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0090.585] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e1e0b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.586] CloseHandle (hObject=0x344) returned 1 [0090.586] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.586] lstrcmpW (lpString1=".", lpString2="TextConv") returned -1 [0090.586] lstrcmpW (lpString1="..", lpString2="TextConv") returned -1 [0090.586] lstrcmpiW (lpString1="windows", lpString2="TextConv") returned 1 [0090.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.589] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="TextConv" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv" [0090.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0090.589] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.589] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e36118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.590] CloseHandle (hObject=0x344) returned 1 [0090.590] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.590] lstrcmpW (lpString1=".", lpString2="Triedit") returned -1 [0090.590] lstrcmpW (lpString1="..", lpString2="Triedit") returned -1 [0090.590] lstrcmpiW (lpString1="windows", lpString2="Triedit") returned 1 [0090.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.594] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="Triedit" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit" [0090.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\*.*" [0090.594] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.594] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e4e180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.595] CloseHandle (hObject=0x344) returned 1 [0090.595] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.595] lstrcmpW (lpString1=".", lpString2="VC") returned -1 [0090.595] lstrcmpW (lpString1="..", lpString2="VC") returned -1 [0090.595] lstrcmpiW (lpString1="windows", lpString2="VC") returned 1 [0090.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.599] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="VC" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC" [0090.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*" [0090.599] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.599] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e661e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.600] CloseHandle (hObject=0x344) returned 1 [0090.600] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.600] lstrcmpW (lpString1=".", lpString2="VGX") returned -1 [0090.600] lstrcmpW (lpString1="..", lpString2="VGX") returned -1 [0090.600] lstrcmpiW (lpString1="windows", lpString2="VGX") returned 1 [0090.603] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0090.603] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0090.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="VGX" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX" [0090.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*" [0090.603] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0090.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e7e250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0090.607] CloseHandle (hObject=0x344) returned 1 [0090.607] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0090.607] lstrcmpW (lpString1=".", lpString2="VSTA") returned -1 [0090.994] lstrcmpW (lpString1="..", lpString2="VSTA") returned -1 [0090.994] lstrcmpiW (lpString1="windows", lpString2="VSTA") returned 1 [0091.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0091.057] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0091.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="VSTA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" [0091.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*" [0091.057] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0091.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b68810, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e0 [0091.058] CloseHandle (hObject=0x2e0) returned 1 [0091.058] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 1 [0091.058] lstrcmpW (lpString1=".", lpString2="VSTO") returned -1 [0091.058] lstrcmpW (lpString1="..", lpString2="VSTO") returned -1 [0091.058] lstrcmpiW (lpString1="windows", lpString2="VSTO") returned 1 [0091.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*" [0091.058] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*.*") returned 60 [0091.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpString2="VSTO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO" [0091.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*" [0091.059] GlobalMemoryStatus (in: lpBuffer=0x704fd08 | out: lpBuffer=0x704fd08) [0091.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8850048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e0 [0091.059] CloseHandle (hObject=0x2e0) returned 1 [0091.059] FindNextFileW (in: hFindFile=0x5c8890, lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 0 [0091.059] FindClose (in: hFindFile=0x5c8890 | out: hFindFile=0x5c8890) returned 1 Thread: id = 120 os_tid = 0xed8 [0090.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*", lpFindFileData=0x718fd28 | out: lpFindFileData=0x718fd28) returned 0x5c8c50 [0090.652] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.652] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x718fd28 | out: lpFindFileData=0x718fd28) returned 1 [0090.653] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.653] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.653] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x718fd28 | out: lpFindFileData=0x718fd28) returned 1 [0090.653] lstrcpyW (in: lpString1=0x3db8250, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" [0090.653] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned 52 [0090.653] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\How To Restore Files.hta" [0090.653] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\services\\how to restore files.hta")) returned 0xffffffff [0090.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\services\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0090.653] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x718fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x718fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.655] CloseHandle (hObject=0x308) returned 1 [0090.655] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.055] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="verisign.bmp") returned -1 [0091.055] lstrlenW (lpString="verisign.bmp") returned 12 [0091.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" [0091.055] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned 52 [0091.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\", lpString2="verisign.bmp" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" [0091.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" [0091.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS" [0091.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp id-br3n0g72wub8cejt.lyas")) returned 1 [0091.056] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0091.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp id-br3n0g72wub8cejt.lyas"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp")) returned 1 [0091.056] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x718fd28 | out: lpFindFileData=0x718fd28) returned 0 [0091.056] FindClose (in: hFindFile=0x5c8c50 | out: hFindFile=0x5c8c50) returned 1 Thread: id = 121 os_tid = 0xee4 [0090.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*", lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 0x5c8f10 [0090.940] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.940] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0090.940] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.941] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.941] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0090.941] lstrcmpW (lpString1=".", lpString2="ado") returned -1 [0090.941] lstrcmpW (lpString1="..", lpString2="ado") returned -1 [0090.941] lstrcmpiW (lpString1="windows", lpString2="ado") returned 1 [0092.988] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0092.988] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0092.988] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="ado" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado" [0092.988] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0092.988] GlobalMemoryStatus (in: lpBuffer=0x72cfd08 | out: lpBuffer=0x72cfd08) [0092.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88e02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0092.989] CloseHandle (hObject=0x588) returned 1 [0092.990] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0092.990] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0092.990] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0092.990] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta" [0092.990] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\how to restore files.hta")) returned 0xffffffff [0092.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x588 [0092.991] WriteFile (in: hFile=0x588, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x72cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x72cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.992] CloseHandle (hObject=0x588) returned 1 [0092.992] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.993] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DirectDB.dll") returned 1 [0092.993] lstrlenW (lpString="DirectDB.dll") returned 12 [0092.993] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0092.993] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0092.993] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="DirectDB.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" [0092.993] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" [0092.993] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll id-Br3n0G72wUb8CejT.LyaS" [0092.993] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files (x86)\\common files\\system\\directdb.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\directdb.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0092.994] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0092.994] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0092.994] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0092.994] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0092.994] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0092.994] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0092.994] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US" [0092.995] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" [0092.995] GlobalMemoryStatus (in: lpBuffer=0x72cfd08 | out: lpBuffer=0x72cfd08) [0092.995] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88b01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0092.996] CloseHandle (hObject=0x588) returned 1 [0092.996] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0092.996] lstrcmpW (lpString1=".", lpString2="msadc") returned -1 [0092.996] lstrcmpW (lpString1="..", lpString2="msadc") returned -1 [0092.996] lstrcmpiW (lpString1="windows", lpString2="msadc") returned 1 [0092.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0092.996] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0092.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="msadc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc" [0092.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0092.996] GlobalMemoryStatus (in: lpBuffer=0x72cfd08 | out: lpBuffer=0x72cfd08) [0092.996] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10728730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0092.997] CloseHandle (hObject=0x588) returned 1 [0092.997] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0092.997] lstrcmpW (lpString1=".", lpString2="Ole DB") returned -1 [0092.997] lstrcmpW (lpString1="..", lpString2="Ole DB") returned -1 [0092.997] lstrcmpiW (lpString1="windows", lpString2="Ole DB") returned 1 [0092.997] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0092.997] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0092.997] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="Ole DB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB" [0092.997] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0092.998] GlobalMemoryStatus (in: lpBuffer=0x72cfd08 | out: lpBuffer=0x72cfd08) [0092.998] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10740798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0092.998] CloseHandle (hObject=0x588) returned 1 [0092.999] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0092.999] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0092.999] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0092.999] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta" [0092.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\how to restore files.hta")) returned 0x1 [0092.999] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wab32.dll") returned -1 [0092.999] lstrlenW (lpString="wab32.dll") returned 9 [0092.999] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0092.999] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0093.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="wab32.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" [0093.000] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" [0093.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll id-Br3n0G72wUb8CejT.LyaS" [0093.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files (x86)\\common files\\system\\wab32.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\wab32.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0093.001] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 1 [0093.001] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0093.001] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0093.001] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta" [0093.001] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\how to restore files.hta")) returned 0x1 [0093.001] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wab32res.dll") returned -1 [0093.001] lstrlenW (lpString="wab32res.dll") returned 12 [0093.002] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0093.002] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0093.002] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="wab32res.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" [0093.002] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" [0093.002] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll id-Br3n0G72wUb8CejT.LyaS" [0093.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files (x86)\\common files\\system\\wab32res.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\wab32res.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0093.003] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x72cfd28 | out: lpFindFileData=0x72cfd28) returned 0 [0093.003] FindClose (in: hFindFile=0x5c8f10 | out: hFindFile=0x5c8f10) returned 1 Thread: id = 122 os_tid = 0xeec [0090.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*", lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 0x5c8c10 [0090.609] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.609] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0090.609] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.609] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.609] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0090.609] lstrcmpW (lpString1=".", lpString2="8C296B8E-6699-457C-9415-3D0647E1D775") returned -1 [0090.609] lstrcmpW (lpString1="..", lpString2="8C296B8E-6699-457C-9415-3D0647E1D775") returned -1 [0090.609] lstrcmpiW (lpString1="windows", lpString2="8C296B8E-6699-457C-9415-3D0647E1D775") returned 1 [0090.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0090.612] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0090.612] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="8C296B8E-6699-457C-9415-3D0647E1D775" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775" [0090.613] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*" [0090.613] GlobalMemoryStatus (in: lpBuffer=0x36ffd08 | out: lpBuffer=0x36ffd08) [0090.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e962b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e0 [0090.613] CloseHandle (hObject=0x2e0) returned 1 [0090.614] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0090.614] lstrcmpW (lpString1=".", lpString2="9D76938C-943D-439F-A135-26D02821EE05") returned -1 [0090.614] lstrcmpW (lpString1="..", lpString2="9D76938C-943D-439F-A135-26D02821EE05") returned -1 [0090.614] lstrcmpiW (lpString1="windows", lpString2="9D76938C-943D-439F-A135-26D02821EE05") returned 1 [0090.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0090.617] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0090.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="9D76938C-943D-439F-A135-26D02821EE05" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05" [0090.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*" [0090.617] GlobalMemoryStatus (in: lpBuffer=0x36ffd08 | out: lpBuffer=0x36ffd08) [0090.618] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10eae320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e0 [0090.619] CloseHandle (hObject=0x2e0) returned 1 [0090.619] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0090.619] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0090.619] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0090.619] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta" [0090.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\how to restore files.hta")) returned 0xffffffff [0090.619] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0090.650] WriteFile (in: hFile=0x2e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x36ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x36ffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.651] CloseHandle (hObject=0x2e0) returned 1 [0090.651] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.681] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DeploymentConfig.0.xml") returned 1 [0090.681] lstrlenW (lpString="DeploymentConfig.0.xml") returned 22 [0090.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0090.682] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0090.682] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="DeploymentConfig.0.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" [0090.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" [0090.682] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml id-Br3n0G72wUb8CejT.LyaS" [0090.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml id-br3n0g72wub8cejt.lyas")) returned 1 [0090.682] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0090.683] CreateFileMappingA (hFile=0x30c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x32c [0090.683] CryptAcquireContextA (in: phProv=0x36ffce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x36ffce4*=0x5d0d88) returned 1 [0090.683] CryptGenKey (in: hProv=0x5d0d88, Algid=0x6610, dwFlags=0x1, phKey=0x36ffce0 | out: phKey=0x36ffce0*=0x5c8910) returned 1 [0090.683] CryptExportKey (in: hKey=0x5c8910, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x36ffbdc, pdwDataLen=0x36ffcdc | out: pbData=0x36ffbdc*, pdwDataLen=0x36ffcdc*=0x2c) returned 1 [0090.683] MapViewOfFile (hFileMappingObject=0x32c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x31e0000 [0093.162] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x36ffbdc*, pdwDataLen=0x36ffcf0*=0x40, dwBufLen=0x100 | out: pbData=0x36ffbdc*, pdwDataLen=0x36ffcf0*=0x100) returned 1 [0093.162] CryptEncrypt (in: hKey=0x5c8910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31e0000*, pdwDataLen=0x36ffcdc*=0x7a0, dwBufLen=0x7a0 | out: pbData=0x31e0000*, pdwDataLen=0x36ffcdc*=0x7a0) returned 1 [0094.182] UnmapViewOfFile (lpBaseAddress=0x31e0000) returned 1 [0094.182] CloseHandle (hObject=0x32c) returned 1 [0094.182] CryptDestroyKey (hKey=0x5c8910) returned 1 [0094.182] CryptReleaseContext (hProv=0x5d0d88, dwFlags=0x0) returned 1 [0094.182] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.182] WriteFile (in: hFile=0x30c, lpBuffer=0x36ffbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x36ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x36ffbdc*, lpNumberOfBytesWritten=0x36ffcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.402] WriteFile (in: hFile=0x30c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x36ffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x36ffcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.402] CloseHandle (hObject=0x30c) returned 1 [0094.408] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.508] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0095.339] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0095.339] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0095.339] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta" [0095.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\how to restore files.hta")) returned 0x1 [0095.339] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DeploymentConfig.1.xml") returned 1 [0095.339] lstrlenW (lpString="DeploymentConfig.1.xml") returned 22 [0095.339] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0095.339] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0095.339] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="DeploymentConfig.1.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" [0095.339] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" [0095.339] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS" [0095.339] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.339] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0095.339] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0095.340] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0095.340] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta" [0095.340] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\how to restore files.hta")) returned 0x1 [0095.340] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DeploymentConfig.2.xml") returned 1 [0095.340] lstrlenW (lpString="DeploymentConfig.2.xml") returned 22 [0095.340] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0095.340] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0095.340] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="DeploymentConfig.2.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" [0095.340] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" [0095.340] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml id-Br3n0G72wUb8CejT.LyaS" [0095.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.340] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0095.340] lstrcmpW (lpString1=".", lpString2="MachineData") returned -1 [0095.340] lstrcmpW (lpString1="..", lpString2="MachineData") returned -1 [0095.340] lstrcmpiW (lpString1="windows", lpString2="MachineData") returned 1 [0095.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0095.341] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0095.341] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="MachineData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData" [0095.341] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*" [0095.341] GlobalMemoryStatus (in: lpBuffer=0x36ffd08 | out: lpBuffer=0x36ffd08) [0095.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f01cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0095.342] CloseHandle (hObject=0x28c) returned 1 [0095.342] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0095.342] lstrcmpW (lpString1=".", lpString2="ProductReleases") returned -1 [0095.342] lstrcmpW (lpString1="..", lpString2="ProductReleases") returned -1 [0095.342] lstrcmpiW (lpString1="windows", lpString2="ProductReleases") returned 1 [0095.342] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0095.342] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0095.342] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="ProductReleases" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases" [0095.342] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*.*" [0095.342] GlobalMemoryStatus (in: lpBuffer=0x36ffd08 | out: lpBuffer=0x36ffd08) [0095.342] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c39888, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0095.343] CloseHandle (hObject=0x28c) returned 1 [0095.343] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0095.343] lstrcmpW (lpString1=".", lpString2="UserData") returned -1 [0095.343] lstrcmpW (lpString1="..", lpString2="UserData") returned -1 [0095.343] lstrcmpiW (lpString1="windows", lpString2="UserData") returned 1 [0095.343] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0095.343] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0095.343] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="UserData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData" [0095.343] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*.*" [0095.343] GlobalMemoryStatus (in: lpBuffer=0x36ffd08 | out: lpBuffer=0x36ffd08) [0095.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5bc89b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0095.344] CloseHandle (hObject=0x28c) returned 1 [0095.344] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 1 [0095.344] lstrcmpW (lpString1=".", lpString2="{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned -1 [0095.344] lstrcmpW (lpString1="..", lpString2="{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned -1 [0095.344] lstrcmpiW (lpString1="windows", lpString2="{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned 1 [0095.344] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*" [0095.344] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*.*") returned 43 [0095.344] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\", lpString2="{9AC08E99-230B-47e8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" [0095.344] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*" [0095.344] GlobalMemoryStatus (in: lpBuffer=0x36ffd08 | out: lpBuffer=0x36ffd08) [0095.344] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8fc2000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0095.345] CloseHandle (hObject=0x28c) returned 1 [0095.345] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x36ffd28 | out: lpFindFileData=0x36ffd28) returned 0 [0095.345] FindClose (in: hFindFile=0x5c8c10 | out: hFindFile=0x5c8c10) returned 1 Thread: id = 123 os_tid = 0xee8 [0090.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*", lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 0x5c8c50 [0090.620] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.620] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0090.620] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.620] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.620] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0090.620] lstrcmpW (lpString1=".", lpString2="DSS") returned -1 [0090.620] lstrcmpW (lpString1="..", lpString2="DSS") returned -1 [0090.621] lstrcmpiW (lpString1="windows", lpString2="DSS") returned 1 [0090.624] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0090.624] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned 39 [0090.624] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\", lpString2="DSS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS" [0090.624] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*" [0090.624] GlobalMemoryStatus (in: lpBuffer=0x740fd08 | out: lpBuffer=0x740fd08) [0090.624] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ec6388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0090.625] CloseHandle (hObject=0x308) returned 1 [0090.625] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0090.625] lstrcmpW (lpString1=".", lpString2="Keys") returned -1 [0090.625] lstrcmpW (lpString1="..", lpString2="Keys") returned -1 [0090.625] lstrcmpiW (lpString1="windows", lpString2="Keys") returned 1 [0090.632] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0090.632] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned 39 [0090.632] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\", lpString2="Keys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys" [0090.632] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*.*" [0090.632] GlobalMemoryStatus (in: lpBuffer=0x740fd08 | out: lpBuffer=0x740fd08) [0090.632] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ede3f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0090.633] CloseHandle (hObject=0x308) returned 1 [0090.633] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0090.633] lstrcmpW (lpString1=".", lpString2="PCPKSP") returned -1 [0090.633] lstrcmpW (lpString1="..", lpString2="PCPKSP") returned -1 [0090.633] lstrcmpiW (lpString1="windows", lpString2="PCPKSP") returned 1 [0090.636] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0090.636] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned 39 [0090.636] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\", lpString2="PCPKSP" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP" [0090.636] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*.*" [0090.636] GlobalMemoryStatus (in: lpBuffer=0x740fd08 | out: lpBuffer=0x740fd08) [0090.636] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ef6458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0090.637] CloseHandle (hObject=0x308) returned 1 [0090.637] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0090.637] lstrcmpW (lpString1=".", lpString2="RSA") returned -1 [0090.637] lstrcmpW (lpString1="..", lpString2="RSA") returned -1 [0090.637] lstrcmpiW (lpString1="windows", lpString2="RSA") returned 1 [0090.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0090.641] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned 39 [0090.641] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA" [0090.641] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" [0090.641] GlobalMemoryStatus (in: lpBuffer=0x740fd08 | out: lpBuffer=0x740fd08) [0090.641] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f0e4c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0090.642] CloseHandle (hObject=0x308) returned 1 [0090.642] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0090.642] lstrcmpW (lpString1=".", lpString2="SystemKeys") returned -1 [0090.642] lstrcmpW (lpString1="..", lpString2="SystemKeys") returned -1 [0090.642] lstrcmpiW (lpString1="windows", lpString2="SystemKeys") returned 1 [0090.645] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0090.645] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned 39 [0090.645] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\", lpString2="SystemKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys" [0090.645] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*" [0090.645] GlobalMemoryStatus (in: lpBuffer=0x740fd08 | out: lpBuffer=0x740fd08) [0090.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f26528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0090.646] CloseHandle (hObject=0x308) returned 1 [0090.646] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 0 [0090.647] FindClose (in: hFindFile=0x5c8c50 | out: hFindFile=0x5c8c50) returned 1 Thread: id = 124 os_tid = 0xee0 [0090.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*.*", lpFindFileData=0x754fd28 | out: lpFindFileData=0x754fd28) returned 0x5c8510 [0090.674] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.674] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x754fd28 | out: lpFindFileData=0x754fd28) returned 1 [0090.674] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.674] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.674] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x754fd28 | out: lpFindFileData=0x754fd28) returned 1 [0090.674] lstrcmpW (lpString1=".", lpString2="PaidWiFi") returned -1 [0090.674] lstrcmpW (lpString1="..", lpString2="PaidWiFi") returned -1 [0090.674] lstrcmpiW (lpString1="windows", lpString2="PaidWiFi") returned 1 [0090.674] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*.*" [0090.674] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*.*") returned 41 [0090.674] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\", lpString2="PaidWiFi" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi" [0090.675] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*.*" [0090.675] GlobalMemoryStatus (in: lpBuffer=0x754fd08 | out: lpBuffer=0x754fd08) [0090.675] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5bb0948, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0090.675] CloseHandle (hObject=0x32c) returned 1 [0090.675] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x754fd28 | out: lpFindFileData=0x754fd28) returned 0 [0090.675] FindClose (in: hFindFile=0x5c8510 | out: hFindFile=0x5c8510) returned 1 Thread: id = 125 os_tid = 0xef0 [0090.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*", lpFindFileData=0x768fd28 | out: lpFindFileData=0x768fd28) returned 0x5c8510 [0090.663] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.663] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x768fd28 | out: lpFindFileData=0x768fd28) returned 1 [0090.663] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.663] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.663] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x768fd28 | out: lpFindFileData=0x768fd28) returned 1 [0090.663] lstrcmpW (lpString1=".", lpString2="Device") returned -1 [0090.663] lstrcmpW (lpString1="..", lpString2="Device") returned -1 [0090.663] lstrcmpiW (lpString1="windows", lpString2="Device") returned 1 [0090.664] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" [0090.664] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned 45 [0090.664] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\", lpString2="Device" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device" [0090.664] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" [0090.664] GlobalMemoryStatus (in: lpBuffer=0x768fd08 | out: lpBuffer=0x768fd08) [0090.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c28b50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0090.665] CloseHandle (hObject=0x32c) returned 1 [0090.665] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x768fd28 | out: lpFindFileData=0x768fd28) returned 1 [0090.665] lstrcmpW (lpString1=".", lpString2="Task") returned -1 [0090.665] lstrcmpW (lpString1="..", lpString2="Task") returned -1 [0090.665] lstrcmpiW (lpString1="windows", lpString2="Task") returned 1 [0090.668] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" [0090.668] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned 45 [0090.668] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\", lpString2="Task" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task" [0090.668] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" [0090.668] GlobalMemoryStatus (in: lpBuffer=0x768fd08 | out: lpBuffer=0x768fd08) [0090.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f3e590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0090.673] CloseHandle (hObject=0x32c) returned 1 [0090.673] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x768fd28 | out: lpFindFileData=0x768fd28) returned 0 [0090.673] FindClose (in: hFindFile=0x5c8510 | out: hFindFile=0x5c8510) returned 1 Thread: id = 126 os_tid = 0xf04 [0090.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x77cfd28 | out: lpFindFileData=0x77cfd28) returned 0x5c8d10 [0090.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.744] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x77cfd28 | out: lpFindFileData=0x77cfd28) returned 1 [0090.744] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.744] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.745] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x77cfd28 | out: lpFindFileData=0x77cfd28) returned 0 [0090.745] FindClose (in: hFindFile=0x5c8d10 | out: hFindFile=0x5c8d10) returned 1 Thread: id = 127 os_tid = 0xef8 [0090.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*", lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 0x5c8d50 [0090.864] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.864] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0090.865] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.865] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0090.865] lstrcmpW (lpString1=".", lpString2="AsimovUploader") returned -1 [0090.865] lstrcmpW (lpString1="..", lpString2="AsimovUploader") returned -1 [0090.865] lstrcmpiW (lpString1="windows", lpString2="AsimovUploader") returned 1 [0090.865] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0090.865] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0090.865] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="AsimovUploader" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader" [0090.865] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*.*" [0090.865] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0090.865] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c88cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0090.866] CloseHandle (hObject=0x378) returned 1 [0090.866] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0090.866] lstrcmpW (lpString1=".", lpString2="DownloadedScenarios") returned -1 [0090.866] lstrcmpW (lpString1="..", lpString2="DownloadedScenarios") returned -1 [0090.866] lstrcmpiW (lpString1="windows", lpString2="DownloadedScenarios") returned 1 [0090.869] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0090.869] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0090.869] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="DownloadedScenarios" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios" [0090.869] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0090.869] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0090.869] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f866c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0090.869] CloseHandle (hObject=0x378) returned 1 [0090.869] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0090.869] lstrcmpW (lpString1=".", lpString2="DownloadedSettings") returned -1 [0090.869] lstrcmpW (lpString1="..", lpString2="DownloadedSettings") returned -1 [0090.869] lstrcmpiW (lpString1="windows", lpString2="DownloadedSettings") returned 1 [0090.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0090.872] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0090.872] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="DownloadedSettings" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings" [0090.872] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" [0090.872] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0090.872] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f9e730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0090.872] CloseHandle (hObject=0x378) returned 1 [0090.873] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0090.873] lstrcmpW (lpString1=".", lpString2="ETLLogs") returned -1 [0090.873] lstrcmpW (lpString1="..", lpString2="ETLLogs") returned -1 [0090.873] lstrcmpiW (lpString1="windows", lpString2="ETLLogs") returned 1 [0090.874] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0090.874] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0090.874] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="ETLLogs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs" [0090.874] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*" [0090.874] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0090.874] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10fb6798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x378 [0090.874] CloseHandle (hObject=0x378) returned 1 [0090.874] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0090.874] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0090.874] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0090.874] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0090.874] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\how to restore files.hta")) returned 0xffffffff [0090.874] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0090.943] WriteFile (in: hFile=0x390, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x790fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x790fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.944] CloseHandle (hObject=0x390) returned 1 [0090.944] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.821] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="events00.rbs") returned 1 [0092.822] lstrlenW (lpString="events00.rbs") returned 12 [0092.822] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0092.822] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0092.822] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="events00.rbs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs" [0092.822] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs" [0092.822] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs id-Br3n0G72wUb8CejT.LyaS" [0092.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events00.rbs"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events00.rbs id-br3n0g72wub8cejt.lyas")) returned 0 [0093.425] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.615] lstrcpyW (in: lpString1=0x20e20388, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.615] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.615] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.615] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="events01.rbs") returned 1 [0093.615] lstrlenW (lpString="events01.rbs") returned 12 [0093.615] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.615] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="events01.rbs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs" [0093.616] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs" [0093.616] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs id-Br3n0G72wUb8CejT.LyaS" [0093.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events01.rbs"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events01.rbs id-br3n0g72wub8cejt.lyas")) returned 0 [0093.616] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.616] lstrcpyW (in: lpString1=0x20e20388, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.616] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.616] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.616] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.616] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="events10.rbs") returned 1 [0093.616] lstrlenW (lpString="events10.rbs") returned 12 [0093.616] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.616] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.616] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="events10.rbs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs" [0093.616] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs" [0093.616] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs id-Br3n0G72wUb8CejT.LyaS" [0093.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events10.rbs"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events10.rbs id-br3n0g72wub8cejt.lyas")) returned 0 [0093.617] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.617] lstrcpyW (in: lpString1=0x20e20388, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.617] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.617] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.617] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="events11.rbs") returned 1 [0093.617] lstrlenW (lpString="events11.rbs") returned 12 [0093.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.617] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="events11.rbs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs" [0093.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs" [0093.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs id-Br3n0G72wUb8CejT.LyaS" [0093.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events11.rbs"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events11.rbs id-br3n0g72wub8cejt.lyas")) returned 0 [0093.618] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.618] lstrcmpW (lpString1=".", lpString2="LocalTraceStore") returned -1 [0093.618] lstrcmpW (lpString1="..", lpString2="LocalTraceStore") returned -1 [0093.618] lstrcmpiW (lpString1="windows", lpString2="LocalTraceStore") returned 1 [0093.618] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.618] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.618] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="LocalTraceStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore" [0093.618] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*" [0093.618] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0093.618] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ffe8d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x620 [0093.619] CloseHandle (hObject=0x620) returned 1 [0093.619] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.619] lstrcpyW (in: lpString1=0x20e20388, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.619] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.619] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.619] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="parse.dat") returned -1 [0093.619] lstrlenW (lpString="parse.dat") returned 9 [0093.619] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.619] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.620] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="parse.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" [0093.620] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" [0093.620] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat id-Br3n0G72wUb8CejT.LyaS" [0093.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\programdata\\microsoft\\diagnosis\\parse.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\parse.dat id-br3n0g72wub8cejt.lyas")) returned 0 [0093.620] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.620] lstrcmpW (lpString1=".", lpString2="Sideload") returned -1 [0093.620] lstrcmpW (lpString1="..", lpString2="Sideload") returned -1 [0093.620] lstrcmpiW (lpString1="windows", lpString2="Sideload") returned 1 [0093.620] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.620] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.620] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="Sideload" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload" [0093.620] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*.*" [0093.620] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0093.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x114dbcd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x620 [0093.621] CloseHandle (hObject=0x620) returned 1 [0093.621] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.621] lstrcmpW (lpString1=".", lpString2="Siufloc") returned -1 [0093.621] lstrcmpW (lpString1="..", lpString2="Siufloc") returned -1 [0093.621] lstrcmpiW (lpString1="windows", lpString2="Siufloc") returned 1 [0093.621] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.621] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.621] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="Siufloc" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc" [0093.621] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*.*" [0093.621] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0093.621] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1152bda8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x620 [0093.622] CloseHandle (hObject=0x620) returned 1 [0093.622] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.622] lstrcmpW (lpString1=".", lpString2="SoftLanding") returned -1 [0093.622] lstrcmpW (lpString1="..", lpString2="SoftLanding") returned -1 [0093.622] lstrcmpiW (lpString1="windows", lpString2="SoftLanding") returned 1 [0093.626] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.626] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.626] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="SoftLanding" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding" [0093.626] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*.*" [0093.626] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0093.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20e20388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x620 [0093.627] CloseHandle (hObject=0x620) returned 1 [0093.627] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0093.627] lstrcmpW (lpString1=".", lpString2="SoftLandingStage") returned -1 [0093.627] lstrcmpW (lpString1="..", lpString2="SoftLandingStage") returned -1 [0093.627] lstrcmpiW (lpString1="windows", lpString2="SoftLandingStage") returned 1 [0093.631] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*" [0093.631] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*.*") returned 42 [0093.631] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\", lpString2="SoftLandingStage" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage" [0093.631] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*" [0093.631] GlobalMemoryStatus (in: lpBuffer=0x790fd08 | out: lpBuffer=0x790fd08) [0093.631] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20e383f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x620 [0093.631] CloseHandle (hObject=0x620) returned 1 [0093.631] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 0 [0093.632] FindClose (in: hFindFile=0x5c8d50 | out: hFindFile=0x5c8d50) returned 1 Thread: id = 128 os_tid = 0xed4 [0090.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*", lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 0x5c8510 [0090.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.679] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 1 [0090.679] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.679] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 1 [0090.679] lstrcmpW (lpString1=".", lpString2="Server") returned -1 [0090.679] lstrcmpW (lpString1="..", lpString2="Server") returned -1 [0090.679] lstrcmpiW (lpString1="windows", lpString2="Server") returned 1 [0090.679] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*" [0090.679] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*") returned 36 [0090.679] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\", lpString2="Server" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server" [0090.679] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*.*" [0090.679] GlobalMemoryStatus (in: lpBuffer=0x7a4fd08 | out: lpBuffer=0x7a4fd08) [0090.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c10ae8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0090.680] CloseHandle (hObject=0x32c) returned 1 [0090.680] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 0 [0090.680] FindClose (in: hFindFile=0x5c8510 | out: hFindFile=0x5c8510) returned 1 Thread: id = 129 os_tid = 0xed0 [0090.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x7b8fd28 | out: lpFindFileData=0x7b8fd28) returned 0x5c8510 [0090.677] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.677] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7b8fd28 | out: lpFindFileData=0x7b8fd28) returned 1 [0090.677] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.677] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.677] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7b8fd28 | out: lpFindFileData=0x7b8fd28) returned 1 [0090.677] lstrcmpW (lpString1=".", lpString2="Views") returned -1 [0090.677] lstrcmpW (lpString1="..", lpString2="Views") returned -1 [0090.677] lstrcmpiW (lpString1="windows", lpString2="Views") returned 1 [0090.677] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*" [0090.677] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*") returned 45 [0090.677] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\", lpString2="Views" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views" [0090.677] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*" [0090.677] GlobalMemoryStatus (in: lpBuffer=0x7b8fd08 | out: lpBuffer=0x7b8fd08) [0090.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b988e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0090.678] CloseHandle (hObject=0x32c) returned 1 [0090.678] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7b8fd28 | out: lpFindFileData=0x7b8fd28) returned 0 [0090.678] FindClose (in: hFindFile=0x5c8510 | out: hFindFile=0x5c8510) returned 1 Thread: id = 130 os_tid = 0xedc [0090.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*", lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 0x5c8510 [0090.659] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.659] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 1 [0090.659] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.659] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 1 [0090.659] lstrcmpW (lpString1=".", lpString2="INT") returned -1 [0090.659] lstrcmpW (lpString1="..", lpString2="INT") returned -1 [0090.659] lstrcmpiW (lpString1="windows", lpString2="INT") returned 1 [0090.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" [0090.659] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned 44 [0090.659] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\", lpString2="INT" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT" [0090.659] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*" [0090.659] GlobalMemoryStatus (in: lpBuffer=0x7ccfd08 | out: lpBuffer=0x7ccfd08) [0090.659] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c40bb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0090.660] CloseHandle (hObject=0x30c) returned 1 [0090.660] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 1 [0090.660] lstrcmpW (lpString1=".", lpString2="production") returned -1 [0090.660] lstrcmpW (lpString1="..", lpString2="production") returned -1 [0090.660] lstrcmpiW (lpString1="windows", lpString2="production") returned 1 [0090.660] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" [0090.660] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned 44 [0090.660] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\", lpString2="production" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production" [0090.660] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*" [0090.660] GlobalMemoryStatus (in: lpBuffer=0x7ccfd08 | out: lpBuffer=0x7ccfd08) [0090.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5990048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0090.661] CloseHandle (hObject=0x30c) returned 1 [0090.661] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 0 [0090.661] FindClose (in: hFindFile=0x5c8510 | out: hFindFile=0x5c8510) returned 1 Thread: id = 131 os_tid = 0xf54 [0090.655] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*.*", lpFindFileData=0x7e0fd28 | out: lpFindFileData=0x7e0fd28) returned 0x5c8510 [0090.658] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.658] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7e0fd28 | out: lpFindFileData=0x7e0fd28) returned 1 [0090.658] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.658] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.658] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x7e0fd28 | out: lpFindFileData=0x7e0fd28) returned 0 [0090.658] FindClose (in: hFindFile=0x5c8510 | out: hFindFile=0x5c8510) returned 1 Thread: id = 132 os_tid = 0xf58 [0090.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*", lpFindFileData=0x7f4fd28 | out: lpFindFileData=0x7f4fd28) returned 0x5c8d10 [0090.751] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.751] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x7f4fd28 | out: lpFindFileData=0x7f4fd28) returned 1 [0090.751] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.751] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x7f4fd28 | out: lpFindFileData=0x7f4fd28) returned 1 [0090.751] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0090.751] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned 35 [0090.751] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\How To Restore Files.hta" [0090.751] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\mf\\how to restore files.hta")) returned 0xffffffff [0090.751] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\mf\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0090.752] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x7f4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7f4fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0090.754] CloseHandle (hObject=0x31c) returned 1 [0090.754] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0090.755] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Active.GRL") returned 1 [0090.755] lstrlenW (lpString="Active.GRL") returned 10 [0090.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0090.755] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned 35 [0090.755] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\", lpString2="Active.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" [0090.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" [0090.755] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL id-Br3n0G72wUb8CejT.LyaS" [0090.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl id-br3n0g72wub8cejt.lyas")) returned 1 [0090.756] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0090.756] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x350 [0090.756] CryptAcquireContextA (in: phProv=0x7f4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x7f4fce4*=0x5d1140) returned 1 [0090.757] CryptGenKey (in: hProv=0x5d1140, Algid=0x6610, dwFlags=0x1, phKey=0x7f4fce0 | out: phKey=0x7f4fce0*=0x5c9010) returned 1 [0090.757] CryptExportKey (in: hKey=0x5c9010, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x7f4fbdc, pdwDataLen=0x7f4fcdc | out: pbData=0x7f4fbdc*, pdwDataLen=0x7f4fcdc*=0x2c) returned 1 [0090.757] MapViewOfFile (hFileMappingObject=0x350, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3a60) returned 0x31f0000 [0091.044] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x7f4fbdc*, pdwDataLen=0x7f4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x7f4fbdc*, pdwDataLen=0x7f4fcf0*=0x100) returned 1 [0091.057] CryptEncrypt (in: hKey=0x5c9010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31f0000, pdwDataLen=0x7f4fcdc*=0x3a60, dwBufLen=0x3a60 | out: pbData=0x31f0000*, pdwDataLen=0x7f4fcdc*=0x3a60) returned 1 [0091.114] UnmapViewOfFile (lpBaseAddress=0x31f0000) returned 1 [0091.114] CloseHandle (hObject=0x350) returned 1 [0091.114] CryptDestroyKey (hKey=0x5c9010) returned 1 [0091.114] CryptReleaseContext (hProv=0x5d1140, dwFlags=0x0) returned 1 [0091.114] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.114] WriteFile (in: hFile=0x31c, lpBuffer=0x7f4fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x7f4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x7f4fbdc*, lpNumberOfBytesWritten=0x7f4fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.115] WriteFile (in: hFile=0x31c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x7f4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x7f4fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.115] CloseHandle (hObject=0x31c) returned 1 [0091.116] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.117] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x7f4fd28 | out: lpFindFileData=0x7f4fd28) returned 1 [0091.117] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0091.117] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned 35 [0091.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\How To Restore Files.hta" [0091.117] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\mf\\how to restore files.hta")) returned 0x1 [0091.117] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Pending.GRL") returned -1 [0091.117] lstrlenW (lpString="Pending.GRL") returned 11 [0091.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0091.117] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned 35 [0091.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\", lpString2="Pending.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" [0091.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" [0091.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL id-Br3n0G72wUb8CejT.LyaS" [0091.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl id-br3n0g72wub8cejt.lyas")) returned 1 [0091.118] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0091.118] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x350 [0091.118] CryptAcquireContextA (in: phProv=0x7f4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x7f4fce4*=0x5d0fa8) returned 1 [0091.118] CryptGenKey (in: hProv=0x5d0fa8, Algid=0x6610, dwFlags=0x1, phKey=0x7f4fce0 | out: phKey=0x7f4fce0*=0x5c9190) returned 1 [0091.118] CryptExportKey (in: hKey=0x5c9190, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x7f4fbdc, pdwDataLen=0x7f4fcdc | out: pbData=0x7f4fbdc*, pdwDataLen=0x7f4fcdc*=0x2c) returned 1 [0091.119] MapViewOfFile (hFileMappingObject=0x350, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3a60) returned 0x30c0000 [0093.220] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x7f4fbdc*, pdwDataLen=0x7f4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x7f4fbdc*, pdwDataLen=0x7f4fcf0*=0x100) returned 1 [0093.220] CryptEncrypt (in: hKey=0x5c9190, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30c0000, pdwDataLen=0x7f4fcdc*=0x3a60, dwBufLen=0x3a60 | out: pbData=0x30c0000*, pdwDataLen=0x7f4fcdc*=0x3a60) returned 1 [0094.180] UnmapViewOfFile (lpBaseAddress=0x30c0000) returned 1 [0094.180] CloseHandle (hObject=0x350) returned 1 [0094.180] CryptDestroyKey (hKey=0x5c9190) returned 1 [0094.180] CryptReleaseContext (hProv=0x5d0fa8, dwFlags=0x0) returned 1 [0094.180] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.180] WriteFile (in: hFile=0x31c, lpBuffer=0x7f4fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x7f4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x7f4fbdc*, lpNumberOfBytesWritten=0x7f4fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.419] WriteFile (in: hFile=0x31c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x7f4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x7f4fcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.420] CloseHandle (hObject=0x31c) returned 1 [0094.425] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.508] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x7f4fd28 | out: lpFindFileData=0x7f4fd28) returned 0 [0094.508] FindClose (in: hFindFile=0x5c8d10 | out: hFindFile=0x5c8d10) returned 1 Thread: id = 133 os_tid = 0xfc8 [0090.849] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*", lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 0x5c8d50 [0090.851] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.851] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 1 [0090.851] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.851] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.851] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 1 [0090.851] lstrcmpW (lpString1=".", lpString2=".oracle_jre_usage") returned -1 [0090.851] lstrcmpW (lpString1="..", lpString2=".oracle_jre_usage") returned -1 [0090.851] lstrcmpiW (lpString1="windows", lpString2=".oracle_jre_usage") returned 1 [0090.851] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" [0090.851] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned 34 [0090.851] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\", lpString2=".oracle_jre_usage" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage" [0090.851] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*" [0090.851] GlobalMemoryStatus (in: lpBuffer=0x624fd08 | out: lpBuffer=0x624fd08) [0090.851] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5bc89b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.852] CloseHandle (hObject=0x37c) returned 1 [0090.852] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 1 [0090.852] lstrcmpW (lpString1=".", lpString2="installcache_x64") returned -1 [0090.852] lstrcmpW (lpString1="..", lpString2="installcache_x64") returned -1 [0090.852] lstrcmpiW (lpString1="windows", lpString2="installcache_x64") returned 1 [0090.852] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" [0090.852] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned 34 [0090.852] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\", lpString2="installcache_x64" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64" [0090.852] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*" [0090.852] GlobalMemoryStatus (in: lpBuffer=0x624fd08 | out: lpBuffer=0x624fd08) [0090.852] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5bf8a80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.853] CloseHandle (hObject=0x37c) returned 1 [0090.853] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 1 [0090.853] lstrcmpW (lpString1=".", lpString2="javapath") returned -1 [0090.853] lstrcmpW (lpString1="..", lpString2="javapath") returned -1 [0090.853] lstrcmpiW (lpString1="windows", lpString2="javapath") returned 1 [0090.856] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" [0090.856] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned 34 [0090.856] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\", lpString2="javapath" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath" [0090.856] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*" [0090.856] GlobalMemoryStatus (in: lpBuffer=0x624fd08 | out: lpBuffer=0x624fd08) [0090.856] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f565f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.858] CloseHandle (hObject=0x37c) returned 1 [0090.858] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 1 [0090.858] lstrcmpW (lpString1=".", lpString2="javapath_target_5923062") returned -1 [0090.858] lstrcmpW (lpString1="..", lpString2="javapath_target_5923062") returned -1 [0090.858] lstrcmpiW (lpString1="windows", lpString2="javapath_target_5923062") returned 1 [0090.862] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*" [0090.862] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*.*") returned 34 [0090.862] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\", lpString2="javapath_target_5923062" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062" [0090.862] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*" [0090.862] GlobalMemoryStatus (in: lpBuffer=0x624fd08 | out: lpBuffer=0x624fd08) [0090.862] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f6e660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.863] CloseHandle (hObject=0x37c) returned 1 [0090.863] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 0 [0090.863] FindClose (in: hFindFile=0x5c8d50 | out: hFindFile=0x5c8d50) returned 1 Thread: id = 134 os_tid = 0xe88 [0090.875] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*", lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 0x5c8dd0 [0090.875] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.875] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0090.876] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.876] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.876] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0090.876] lstrcmpW (lpString1=".", lpString2="Registration") returned -1 [0090.876] lstrcmpW (lpString1="..", lpString2="Registration") returned -1 [0090.876] lstrcmpiW (lpString1="windows", lpString2="Registration") returned 1 [0090.878] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*" [0090.878] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*") returned 56 [0090.878] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\", lpString2="Registration" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration" [0090.878] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\*.*" [0090.878] GlobalMemoryStatus (in: lpBuffer=0x804fd08 | out: lpBuffer=0x804fd08) [0090.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10fce800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.879] CloseHandle (hObject=0x37c) returned 1 [0090.879] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0090.879] lstrcmpW (lpString1=".", lpString2="Schema") returned -1 [0090.879] lstrcmpW (lpString1="..", lpString2="Schema") returned -1 [0090.879] lstrcmpiW (lpString1="windows", lpString2="Schema") returned 1 [0090.883] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*" [0090.883] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\*.*") returned 56 [0090.883] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\", lpString2="Schema" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema" [0090.883] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\*.*" [0090.883] GlobalMemoryStatus (in: lpBuffer=0x804fd08 | out: lpBuffer=0x804fd08) [0090.883] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10fe6868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.883] CloseHandle (hObject=0x37c) returned 1 [0090.883] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 0 [0090.883] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 135 os_tid = 0x224 [0090.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*", lpFindFileData=0x814fd28 | out: lpFindFileData=0x814fd28) returned 0x5c90d0 [0090.957] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.957] FindNextFileW (in: hFindFile=0x5c90d0, lpFindFileData=0x814fd28 | out: lpFindFileData=0x814fd28) returned 1 [0090.957] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.957] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.957] FindNextFileW (in: hFindFile=0x5c90d0, lpFindFileData=0x814fd28 | out: lpFindFileData=0x814fd28) returned 1 [0090.957] lstrcmpW (lpString1=".", lpString2="PackageManagement") returned -1 [0090.957] lstrcmpW (lpString1="..", lpString2="PackageManagement") returned -1 [0090.957] lstrcmpiW (lpString1="windows", lpString2="PackageManagement") returned 1 [0092.408] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" [0092.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned 50 [0092.408] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\", lpString2="PackageManagement" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" [0092.408] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*.*" [0092.408] GlobalMemoryStatus (in: lpBuffer=0x814fd08 | out: lpBuffer=0x814fd08) [0092.408] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f49df8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0092.409] CloseHandle (hObject=0x3dc) returned 1 [0092.409] FindNextFileW (in: hFindFile=0x5c90d0, lpFindFileData=0x814fd28 | out: lpFindFileData=0x814fd28) returned 1 [0092.409] lstrcmpW (lpString1=".", lpString2="Pester") returned -1 [0092.409] lstrcmpW (lpString1="..", lpString2="Pester") returned -1 [0092.409] lstrcmpiW (lpString1="windows", lpString2="Pester") returned 1 [0092.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" [0092.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned 50 [0092.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\", lpString2="Pester" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester" [0092.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*.*" [0092.409] GlobalMemoryStatus (in: lpBuffer=0x814fd08 | out: lpBuffer=0x814fd08) [0092.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0092.410] CloseHandle (hObject=0x3dc) returned 1 [0092.410] FindNextFileW (in: hFindFile=0x5c90d0, lpFindFileData=0x814fd28 | out: lpFindFileData=0x814fd28) returned 1 [0092.410] lstrcmpW (lpString1=".", lpString2="PowerShellGet") returned -1 [0092.410] lstrcmpW (lpString1="..", lpString2="PowerShellGet") returned -1 [0092.410] lstrcmpiW (lpString1="windows", lpString2="PowerShellGet") returned 1 [0092.410] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" [0092.410] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned 50 [0092.410] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\", lpString2="PowerShellGet" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" [0092.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" [0092.411] GlobalMemoryStatus (in: lpBuffer=0x814fd08 | out: lpBuffer=0x814fd08) [0092.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10fce800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0092.412] CloseHandle (hObject=0x3dc) returned 1 [0092.412] FindNextFileW (in: hFindFile=0x5c90d0, lpFindFileData=0x814fd28 | out: lpFindFileData=0x814fd28) returned 1 [0092.412] lstrcmpW (lpString1=".", lpString2="PSReadline") returned -1 [0092.412] lstrcmpW (lpString1="..", lpString2="PSReadline") returned -1 [0092.412] lstrcmpiW (lpString1="windows", lpString2="PSReadline") returned 1 [0092.412] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*" [0092.412] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\*.*") returned 50 [0092.412] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\", lpString2="PSReadline" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline" [0092.412] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*.*" [0092.412] GlobalMemoryStatus (in: lpBuffer=0x814fd08 | out: lpBuffer=0x814fd08) [0092.412] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10fe6868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0092.413] CloseHandle (hObject=0x3dc) returned 1 [0092.413] FindNextFileW (in: hFindFile=0x5c90d0, lpFindFileData=0x814fd28 | out: lpFindFileData=0x814fd28) returned 0 [0092.413] FindClose (in: hFindFile=0x5c90d0 | out: hFindFile=0x5c90d0) returned 1 Thread: id = 136 os_tid = 0x318 [0090.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*", lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 0x5c8dd0 [0090.885] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.885] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 1 [0090.885] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.885] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.885] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 1 [0090.885] lstrcmpW (lpString1=".", lpString2="ARM") returned -1 [0090.885] lstrcmpW (lpString1="..", lpString2="ARM") returned -1 [0090.885] lstrcmpiW (lpString1="windows", lpString2="ARM") returned 1 [0090.885] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*" [0090.885] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*") returned 32 [0090.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\", lpString2="ARM" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM" [0090.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0090.886] GlobalMemoryStatus (in: lpBuffer=0x824fd08 | out: lpBuffer=0x824fd08) [0090.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ded18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.886] CloseHandle (hObject=0x37c) returned 1 [0090.886] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 0 [0090.886] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 137 os_tid = 0x34c [0090.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Application Data\\*.*", lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 0xffffffff Thread: id = 138 os_tid = 0x338 [0090.888] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Comms\\*.*", lpFindFileData=0x848fd28 | out: lpFindFileData=0x848fd28) returned 0x5c8dd0 [0090.888] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.888] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x848fd28 | out: lpFindFileData=0x848fd28) returned 1 [0090.888] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.888] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.888] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x848fd28 | out: lpFindFileData=0x848fd28) returned 0 [0090.888] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 139 os_tid = 0x320 [0090.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Desktop\\*.*", lpFindFileData=0x85cfd28 | out: lpFindFileData=0x85cfd28) returned 0xffffffff Thread: id = 140 os_tid = 0xec4 [0090.890] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Documents\\*.*", lpFindFileData=0x870fd28 | out: lpFindFileData=0x870fd28) returned 0xffffffff Thread: id = 141 os_tid = 0x304 [0090.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*", lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 0x5c8dd0 [0090.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.891] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.891] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.891] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.891] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.891] lstrcmpW (lpString1=".", lpString2="ClickToRun") returned -1 [0090.891] lstrcmpW (lpString1="..", lpString2="ClickToRun") returned -1 [0090.891] lstrcmpiW (lpString1="windows", lpString2="ClickToRun") returned 1 [0090.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.891] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="ClickToRun" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun" [0090.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" [0090.891] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.892] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e600d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.892] CloseHandle (hObject=0x37c) returned 1 [0090.892] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.892] lstrcmpW (lpString1=".", lpString2="Crypto") returned -1 [0090.892] lstrcmpW (lpString1="..", lpString2="Crypto") returned -1 [0090.892] lstrcmpiW (lpString1="windows", lpString2="Crypto") returned 1 [0090.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.892] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Crypto" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto" [0090.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0090.892] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.893] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5cf8dd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.893] CloseHandle (hObject=0x37c) returned 1 [0090.893] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.893] lstrcmpW (lpString1=".", lpString2="DataMart") returned -1 [0090.893] lstrcmpW (lpString1="..", lpString2="DataMart") returned -1 [0090.893] lstrcmpiW (lpString1="windows", lpString2="DataMart") returned 1 [0090.893] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.893] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.893] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="DataMart" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart" [0090.893] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*.*" [0090.893] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.893] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d10e38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.894] CloseHandle (hObject=0x37c) returned 1 [0090.894] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.894] lstrcmpW (lpString1=".", lpString2="Device Stage") returned -1 [0090.894] lstrcmpW (lpString1="..", lpString2="Device Stage") returned -1 [0090.894] lstrcmpiW (lpString1="windows", lpString2="Device Stage") returned 1 [0090.894] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.894] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.894] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Device Stage" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage" [0090.894] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" [0090.894] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.894] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d28ea0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.895] CloseHandle (hObject=0x37c) returned 1 [0090.895] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.895] lstrcmpW (lpString1=".", lpString2="DeviceSync") returned -1 [0090.895] lstrcmpW (lpString1="..", lpString2="DeviceSync") returned -1 [0090.895] lstrcmpiW (lpString1="windows", lpString2="DeviceSync") returned 1 [0090.895] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.895] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="DeviceSync" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync" [0090.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*" [0090.895] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.895] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d40f08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.896] CloseHandle (hObject=0x37c) returned 1 [0090.896] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.896] lstrcmpW (lpString1=".", lpString2="Diagnosis") returned -1 [0090.896] lstrcmpW (lpString1="..", lpString2="Diagnosis") returned -1 [0090.896] lstrcmpiW (lpString1="windows", lpString2="Diagnosis") returned 1 [0090.899] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.899] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.899] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Diagnosis" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis" [0090.899] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0090.899] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.899] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ffe8d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.900] CloseHandle (hObject=0x37c) returned 1 [0090.900] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.900] lstrcmpW (lpString1=".", lpString2="DRM") returned -1 [0090.900] lstrcmpW (lpString1="..", lpString2="DRM") returned -1 [0090.900] lstrcmpiW (lpString1="windows", lpString2="DRM") returned 1 [0090.903] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.903] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.903] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="DRM" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM" [0090.903] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*" [0090.903] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.903] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11016938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.904] CloseHandle (hObject=0x37c) returned 1 [0090.904] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.904] lstrcmpW (lpString1=".", lpString2="Event Viewer") returned -1 [0090.904] lstrcmpW (lpString1="..", lpString2="Event Viewer") returned -1 [0090.904] lstrcmpiW (lpString1="windows", lpString2="Event Viewer") returned 1 [0090.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.909] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.910] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Event Viewer" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer" [0090.910] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*" [0090.910] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1102e9a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.910] CloseHandle (hObject=0x37c) returned 1 [0090.910] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.911] lstrcmpW (lpString1=".", lpString2="IdentityCRL") returned -1 [0090.911] lstrcmpW (lpString1="..", lpString2="IdentityCRL") returned -1 [0090.911] lstrcmpiW (lpString1="windows", lpString2="IdentityCRL") returned 1 [0090.913] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.913] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.913] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="IdentityCRL" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL" [0090.913] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0090.913] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11046a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.914] CloseHandle (hObject=0x37c) returned 1 [0090.914] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.914] lstrcmpW (lpString1=".", lpString2="MapData") returned -1 [0090.914] lstrcmpW (lpString1="..", lpString2="MapData") returned -1 [0090.915] lstrcmpiW (lpString1="windows", lpString2="MapData") returned 1 [0090.917] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.917] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.917] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="MapData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData" [0090.917] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\*.*" [0090.917] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1105ea70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.918] CloseHandle (hObject=0x37c) returned 1 [0090.918] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.918] lstrcmpW (lpString1=".", lpString2="MF") returned -1 [0090.918] lstrcmpW (lpString1="..", lpString2="MF") returned -1 [0090.918] lstrcmpiW (lpString1="windows", lpString2="MF") returned 1 [0090.921] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.921] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.921] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="MF" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF" [0090.921] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0090.921] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11076ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.922] CloseHandle (hObject=0x37c) returned 1 [0090.922] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.922] lstrcmpW (lpString1=".", lpString2="NetFramework") returned -1 [0090.922] lstrcmpW (lpString1="..", lpString2="NetFramework") returned -1 [0090.922] lstrcmpiW (lpString1="windows", lpString2="NetFramework") returned 1 [0090.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.925] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.925] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="NetFramework" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework" [0090.925] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" [0090.925] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.925] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1108eb40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.925] CloseHandle (hObject=0x37c) returned 1 [0090.925] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.926] lstrcmpW (lpString1=".", lpString2="Network") returned -1 [0090.926] lstrcmpW (lpString1="..", lpString2="Network") returned -1 [0090.926] lstrcmpiW (lpString1="windows", lpString2="Network") returned 1 [0090.929] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.929] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.929] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Network" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network" [0090.929] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" [0090.929] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.929] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x110a6ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.930] CloseHandle (hObject=0x37c) returned 1 [0090.930] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.930] lstrcmpW (lpString1=".", lpString2="Office") returned -1 [0090.930] lstrcmpW (lpString1="..", lpString2="Office") returned -1 [0090.930] lstrcmpiW (lpString1="windows", lpString2="Office") returned 1 [0090.933] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0090.933] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0090.933] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Office" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office" [0090.933] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*" [0090.933] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0090.934] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x110bec10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x37c [0090.934] CloseHandle (hObject=0x37c) returned 1 [0090.934] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0090.934] lstrcmpW (lpString1=".", lpString2="Provisioning") returned -1 [0090.934] lstrcmpW (lpString1="..", lpString2="Provisioning") returned -1 [0090.934] lstrcmpiW (lpString1="windows", lpString2="Provisioning") returned 1 [0093.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.079] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Provisioning" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning" [0093.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0093.079] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.079] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x110d6c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0093.080] CloseHandle (hObject=0x320) returned 1 [0093.080] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.080] lstrcmpW (lpString1=".", lpString2="Search") returned -1 [0093.080] lstrcmpW (lpString1="..", lpString2="Search") returned -1 [0093.080] lstrcmpiW (lpString1="windows", lpString2="Search") returned 1 [0093.080] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.080] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.080] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Search" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search" [0093.080] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*" [0093.080] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88680b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0093.081] CloseHandle (hObject=0x320) returned 1 [0093.081] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.081] lstrcmpW (lpString1=".", lpString2="SmsRouter") returned -1 [0093.081] lstrcmpW (lpString1="..", lpString2="SmsRouter") returned -1 [0093.081] lstrcmpiW (lpString1="windows", lpString2="SmsRouter") returned 1 [0093.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.085] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="SmsRouter" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter" [0093.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*" [0093.085] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.085] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x113db980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0093.086] CloseHandle (hObject=0x320) returned 1 [0093.086] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.086] lstrcmpW (lpString1=".", lpString2="User Account Pictures") returned -1 [0093.086] lstrcmpW (lpString1="..", lpString2="User Account Pictures") returned -1 [0093.086] lstrcmpiW (lpString1="windows", lpString2="User Account Pictures") returned 1 [0093.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.089] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.089] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="User Account Pictures" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures" [0093.089] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0093.089] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.090] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x113f39e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0093.090] CloseHandle (hObject=0x320) returned 1 [0093.090] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.090] lstrcmpW (lpString1=".", lpString2="Vault") returned -1 [0093.090] lstrcmpW (lpString1="..", lpString2="Vault") returned -1 [0093.090] lstrcmpiW (lpString1="windows", lpString2="Vault") returned 1 [0093.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.113] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Vault" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault" [0093.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*" [0093.113] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.113] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1140ba50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0093.114] CloseHandle (hObject=0x388) returned 1 [0093.114] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.114] lstrcmpW (lpString1=".", lpString2="WDF") returned -1 [0093.114] lstrcmpW (lpString1="..", lpString2="WDF") returned -1 [0093.114] lstrcmpiW (lpString1="windows", lpString2="WDF") returned 1 [0093.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.117] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="WDF" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF" [0093.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\*.*" [0093.118] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11423ab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0093.120] CloseHandle (hObject=0x388) returned 1 [0093.120] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.120] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0093.120] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0093.121] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0093.121] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.121] lstrcmpW (lpString1=".", lpString2="Windows Defender") returned -1 [0093.121] lstrcmpW (lpString1="..", lpString2="Windows Defender") returned -1 [0093.121] lstrcmpiW (lpString1="windows", lpString2="Windows Defender") returned -1 [0093.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.126] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Windows Defender" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender" [0093.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0093.126] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.127] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1143bb20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0093.127] CloseHandle (hObject=0x388) returned 1 [0093.127] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.127] lstrcmpW (lpString1=".", lpString2="Windows Live") returned -1 [0093.127] lstrcmpW (lpString1="..", lpString2="Windows Live") returned -1 [0093.127] lstrcmpiW (lpString1="windows", lpString2="Windows Live") returned -1 [0093.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.131] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Windows Live" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live" [0093.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*" [0093.131] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.131] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11453b88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0093.132] CloseHandle (hObject=0x388) returned 1 [0093.133] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.133] lstrcmpW (lpString1=".", lpString2="Windows NT") returned -1 [0093.133] lstrcmpW (lpString1="..", lpString2="Windows NT") returned -1 [0093.133] lstrcmpiW (lpString1="windows", lpString2="Windows NT") returned -1 [0093.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0093.138] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0093.138] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Windows NT" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT" [0093.138] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" [0093.138] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0093.138] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1146bbf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0093.139] CloseHandle (hObject=0x388) returned 1 [0093.139] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0093.139] lstrcmpW (lpString1=".", lpString2="WinMSIPC") returned -1 [0093.139] lstrcmpW (lpString1="..", lpString2="WinMSIPC") returned -1 [0093.139] lstrcmpiW (lpString1="windows", lpString2="WinMSIPC") returned -1 [0094.183] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0094.183] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0094.183] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="WinMSIPC" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC" [0094.183] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*" [0094.183] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0094.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11483c58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0094.184] CloseHandle (hObject=0x32c) returned 1 [0094.184] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 1 [0094.184] lstrcmpW (lpString1=".", lpString2="WwanSvc") returned -1 [0094.185] lstrcmpW (lpString1="..", lpString2="WwanSvc") returned -1 [0094.185] lstrcmpiW (lpString1="windows", lpString2="WwanSvc") returned -1 [0094.185] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0094.185] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0094.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="WwanSvc" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc" [0094.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*" [0094.185] GlobalMemoryStatus (in: lpBuffer=0x884fd08 | out: lpBuffer=0x884fd08) [0094.185] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c70c88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0094.186] CloseHandle (hObject=0x32c) returned 1 [0094.186] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x884fd28 | out: lpFindFileData=0x884fd28) returned 0 [0094.186] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 142 os_tid = 0xfd4 [0090.937] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*.*", lpFindFileData=0x918fd28 | out: lpFindFileData=0x918fd28) returned 0x5c8e10 [0090.938] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.938] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x918fd28 | out: lpFindFileData=0x918fd28) returned 1 [0090.938] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.938] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.938] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x918fd28 | out: lpFindFileData=0x918fd28) returned 1 [0090.938] lstrcmpW (lpString1=".", lpString2="setup") returned -1 [0090.938] lstrcmpW (lpString1="..", lpString2="setup") returned -1 [0090.938] lstrcmpiW (lpString1="windows", lpString2="setup") returned 1 [0091.053] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*.*" [0091.053] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*.*") returned 45 [0091.053] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\", lpString2="setup" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup" [0091.053] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*" [0091.053] GlobalMemoryStatus (in: lpBuffer=0x918fd08 | out: lpBuffer=0x918fd08) [0091.054] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x110eece0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x324 [0091.054] CloseHandle (hObject=0x324) returned 1 [0091.054] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x918fd28 | out: lpFindFileData=0x918fd28) returned 0 [0091.054] FindClose (in: hFindFile=0x5c8e10 | out: hFindFile=0x5c8e10) returned 1 Thread: id = 143 os_tid = 0x274 [0090.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*", lpFindFileData=0x92cfd28 | out: lpFindFileData=0x92cfd28) returned 0x5c8e90 [0090.938] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.939] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x92cfd28 | out: lpFindFileData=0x92cfd28) returned 1 [0090.939] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.939] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.939] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x92cfd28 | out: lpFindFileData=0x92cfd28) returned 1 [0090.939] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0090.939] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0090.939] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0093.077] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*" [0093.077] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*") returned 33 [0093.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java" [0093.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" [0093.077] GlobalMemoryStatus (in: lpBuffer=0x92cfd08 | out: lpBuffer=0x92cfd08) [0093.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8880118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0093.078] CloseHandle (hObject=0x388) returned 1 [0093.078] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x92cfd28 | out: lpFindFileData=0x92cfd28) returned 0 [0093.078] FindClose (in: hFindFile=0x5c8e90 | out: hFindFile=0x5c8e90) returned 1 Thread: id = 144 os_tid = 0x95c [0090.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*", lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 0x5c8ed0 [0090.940] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.940] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0090.940] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.940] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.940] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0090.940] lstrcmpW (lpString1=".", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned -1 [0090.940] lstrcmpW (lpString1="..", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned -1 [0090.940] lstrcmpiW (lpString1="windows", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 1 [0093.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.003] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.003] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0093.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0093.004] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.004] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b80878, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.005] CloseHandle (hObject=0x2a4) returned 1 [0093.005] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.005] lstrcmpW (lpString1=".", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned -1 [0093.005] lstrcmpW (lpString1="..", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned -1 [0093.005] lstrcmpiW (lpString1="windows", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 1 [0093.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.005] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.005] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0093.005] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0093.005] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.005] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106b0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.006] CloseHandle (hObject=0x2a4) returned 1 [0093.006] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.006] lstrcmpW (lpString1=".", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned -1 [0093.006] lstrcmpW (lpString1="..", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned -1 [0093.006] lstrcmpiW (lpString1="windows", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 1 [0093.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.006] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0093.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0093.006] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.007] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106c8590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.007] CloseHandle (hObject=0x2a4) returned 1 [0093.007] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.007] lstrcmpW (lpString1=".", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned -1 [0093.007] lstrcmpW (lpString1="..", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned -1 [0093.008] lstrcmpiW (lpString1="windows", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 1 [0093.008] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.008] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.008] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0093.008] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0093.008] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.008] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106e05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.009] CloseHandle (hObject=0x2a4) returned 1 [0093.009] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.009] lstrcmpW (lpString1=".", lpString2="{74d0e5db-b326-4dae-a6b2-445b9de1836e}") returned -1 [0093.009] lstrcmpW (lpString1="..", lpString2="{74d0e5db-b326-4dae-a6b2-445b9de1836e}") returned -1 [0093.009] lstrcmpiW (lpString1="windows", lpString2="{74d0e5db-b326-4dae-a6b2-445b9de1836e}") returned 1 [0093.009] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.009] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{74d0e5db-b326-4dae-a6b2-445b9de1836e}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}" [0093.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0093.009] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1105ea70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.010] CloseHandle (hObject=0x2a4) returned 1 [0093.010] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.010] lstrcmpW (lpString1=".", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned -1 [0093.010] lstrcmpW (lpString1="..", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned -1 [0093.010] lstrcmpiW (lpString1="windows", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 1 [0093.011] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.011] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.011] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" [0093.011] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0093.011] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.011] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11076ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.012] CloseHandle (hObject=0x2a4) returned 1 [0093.012] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.012] lstrcmpW (lpString1=".", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned -1 [0093.012] lstrcmpW (lpString1="..", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned -1 [0093.012] lstrcmpiW (lpString1="windows", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 1 [0093.012] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.012] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.012] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0093.012] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0093.012] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1108eb40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.013] CloseHandle (hObject=0x2a4) returned 1 [0093.013] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.013] lstrcmpW (lpString1=".", lpString2="{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026") returned -1 [0093.013] lstrcmpW (lpString1="..", lpString2="{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026") returned -1 [0093.013] lstrcmpiW (lpString1="windows", lpString2="{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026") returned 1 [0093.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.014] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.014] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026" [0093.014] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*" [0093.014] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.014] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x110a6ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.015] CloseHandle (hObject=0x2a4) returned 1 [0093.015] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.015] lstrcmpW (lpString1=".", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned -1 [0093.015] lstrcmpW (lpString1="..", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned -1 [0093.015] lstrcmpiW (lpString1="windows", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 1 [0093.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.015] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.015] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0093.015] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0093.015] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.016] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x110bec10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.016] CloseHandle (hObject=0x2a4) returned 1 [0093.016] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.017] lstrcmpW (lpString1=".", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned -1 [0093.017] lstrcmpW (lpString1="..", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned -1 [0093.017] lstrcmpiW (lpString1="windows", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 1 [0093.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.022] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.022] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0093.022] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0093.022] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x113035d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.023] CloseHandle (hObject=0x2a4) returned 1 [0093.023] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.023] lstrcmpW (lpString1=".", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned -1 [0093.023] lstrcmpW (lpString1="..", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned -1 [0093.023] lstrcmpiW (lpString1="windows", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 1 [0093.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.027] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.027] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0093.027] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0093.027] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.027] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1131b640, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.028] CloseHandle (hObject=0x2a4) returned 1 [0093.028] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.028] lstrcmpW (lpString1=".", lpString2="{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026") returned -1 [0093.028] lstrcmpW (lpString1="..", lpString2="{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026") returned -1 [0093.028] lstrcmpiW (lpString1="windows", lpString2="{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026") returned 1 [0093.032] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.032] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.033] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026" [0093.033] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*" [0093.033] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.033] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x113336a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.034] CloseHandle (hObject=0x2a4) returned 1 [0093.034] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.034] lstrcmpW (lpString1=".", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned -1 [0093.034] lstrcmpW (lpString1="..", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned -1 [0093.034] lstrcmpiW (lpString1="windows", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 1 [0093.038] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.038] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.038] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0093.038] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0093.038] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1134b710, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.039] CloseHandle (hObject=0x2a4) returned 1 [0093.039] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.039] lstrcmpW (lpString1=".", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned -1 [0093.039] lstrcmpW (lpString1="..", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned -1 [0093.039] lstrcmpiW (lpString1="windows", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 1 [0093.043] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.043] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0093.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0093.043] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11363778, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.044] CloseHandle (hObject=0x2a4) returned 1 [0093.044] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.044] lstrcmpW (lpString1=".", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned -1 [0093.044] lstrcmpW (lpString1="..", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned -1 [0093.044] lstrcmpiW (lpString1="windows", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 1 [0093.050] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.050] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.050] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" [0093.050] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0093.050] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.050] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1137b7e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.051] CloseHandle (hObject=0x2a4) returned 1 [0093.051] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.051] lstrcmpW (lpString1=".", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned -1 [0093.051] lstrcmpW (lpString1="..", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned -1 [0093.051] lstrcmpiW (lpString1="windows", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 1 [0093.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.054] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" [0093.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0093.054] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11393848, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.055] CloseHandle (hObject=0x2a4) returned 1 [0093.055] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.055] lstrcmpW (lpString1=".", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned -1 [0093.055] lstrcmpW (lpString1="..", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned -1 [0093.055] lstrcmpiW (lpString1="windows", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 1 [0093.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.059] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0093.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0093.059] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x113ab8b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.060] CloseHandle (hObject=0x2a4) returned 1 [0093.060] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 1 [0093.060] lstrcmpW (lpString1=".", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned -1 [0093.060] lstrcmpW (lpString1="..", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned -1 [0093.060] lstrcmpiW (lpString1="windows", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 1 [0093.075] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0093.075] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0093.075] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0093.075] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0093.075] GlobalMemoryStatus (in: lpBuffer=0x940fd08 | out: lpBuffer=0x940fd08) [0093.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x113c3918, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0093.076] CloseHandle (hObject=0x2a4) returned 1 [0093.076] FindNextFileW (in: hFindFile=0x5c8ed0, lpFindFileData=0x940fd28 | out: lpFindFileData=0x940fd28) returned 0 [0093.076] FindClose (in: hFindFile=0x5c8ed0 | out: hFindFile=0x5c8ed0) returned 1 Thread: id = 145 os_tid = 0xf8c [0090.941] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x954fd28 | out: lpFindFileData=0x954fd28) returned 0x2c9e808 [0092.839] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.839] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x954fd28 | out: lpFindFileData=0x954fd28) returned 1 [0092.839] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.839] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.839] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x954fd28 | out: lpFindFileData=0x954fd28) returned 1 [0092.839] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.839] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.839] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.839] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0092.839] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned 86 [0092.840] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0092.840] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" [0092.840] GlobalMemoryStatus (in: lpBuffer=0x954fd08 | out: lpBuffer=0x954fd08) [0092.840] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x107106c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x598 [0092.840] CloseHandle (hObject=0x598) returned 1 [0092.841] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x954fd28 | out: lpFindFileData=0x954fd28) returned 0 [0092.841] FindClose (in: hFindFile=0x2c9e808 | out: hFindFile=0x2c9e808) returned 1 Thread: id = 146 os_tid = 0xfcc [0090.941] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x968fd28 | out: lpFindFileData=0x968fd28) returned 0x5c8f50 [0090.941] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.941] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0x968fd28 | out: lpFindFileData=0x968fd28) returned 1 [0090.941] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.941] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.941] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0x968fd28 | out: lpFindFileData=0x968fd28) returned 1 [0092.824] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0092.824] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 75 [0092.824] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" [0092.824] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\how to restore files.hta")) returned 0xffffffff [0092.824] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0092.827] WriteFile (in: hFile=0x590, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x968fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x968fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.836] CloseHandle (hObject=0x590) returned 1 [0092.836] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.837] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm") returned -1 [0092.837] lstrlenW (lpString="state.rsm") returned 9 [0092.837] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0092.837] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 75 [0092.837] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0092.837] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0092.837] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" [0092.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-br3n0g72wub8cejt.lyas")) returned 1 [0092.841] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0092.842] CreateFileMappingA (hFile=0x590, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x594 [0092.842] CryptAcquireContextA (in: phProv=0x968fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x968fce4*=0x1083d498) returned 1 [0092.842] CryptGenKey (in: hProv=0x1083d498, Algid=0x6610, dwFlags=0x1, phKey=0x968fce0 | out: phKey=0x968fce0*=0x2c9e888) returned 1 [0092.842] CryptExportKey (in: hKey=0x2c9e888, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x968fbdc, pdwDataLen=0x968fcdc | out: pbData=0x968fbdc*, pdwDataLen=0x968fcdc*=0x2c) returned 1 [0092.842] MapViewOfFile (hFileMappingObject=0x594, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x6640000 [0092.875] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x968fbdc*, pdwDataLen=0x968fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x968fbdc*, pdwDataLen=0x968fcf0*=0x100) returned 1 [0092.876] CryptEncrypt (in: hKey=0x2c9e888, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6640000*, pdwDataLen=0x968fcdc*=0x280, dwBufLen=0x280 | out: pbData=0x6640000*, pdwDataLen=0x968fcdc*=0x280) returned 1 [0092.876] UnmapViewOfFile (lpBaseAddress=0x6640000) returned 1 [0092.876] CloseHandle (hObject=0x594) returned 1 [0092.876] CryptDestroyKey (hKey=0x2c9e888) returned 1 [0092.876] CryptReleaseContext (hProv=0x1083d498, dwFlags=0x0) returned 1 [0092.876] SetFilePointerEx (in: hFile=0x590, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.876] WriteFile (in: hFile=0x590, lpBuffer=0x968fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x968fcf0, lpOverlapped=0x0 | out: lpBuffer=0x968fbdc*, lpNumberOfBytesWritten=0x968fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.877] WriteFile (in: hFile=0x590, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x968fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x968fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.877] CloseHandle (hObject=0x590) returned 1 [0092.976] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.977] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0x968fd28 | out: lpFindFileData=0x968fd28) returned 1 [0092.977] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0092.977] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 75 [0092.977] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" [0092.977] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\how to restore files.hta")) returned 0x1 [0092.977] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcredist_x86.exe") returned -1 [0092.977] lstrlenW (lpString="vcredist_x86.exe") returned 16 [0092.977] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0092.977] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 75 [0092.977] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0092.977] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0092.977] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS" [0092.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0092.978] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0092.978] CreateFileMappingA (hFile=0x590, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x584 [0092.978] CryptAcquireContextA (in: phProv=0x968fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x968fce4*=0x1083d410) returned 1 [0092.979] CryptGenKey (in: hProv=0x1083d410, Algid=0x6610, dwFlags=0x1, phKey=0x968fce0 | out: phKey=0x968fce0*=0x2c9e3c8) returned 1 [0092.979] CryptExportKey (in: hKey=0x2c9e3c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x968fbdc, pdwDataLen=0x968fcdc | out: pbData=0x968fbdc*, pdwDataLen=0x968fcdc*=0x2c) returned 1 [0092.979] MapViewOfFile (hFileMappingObject=0x584, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f420) returned 0x1e1f0000 [0093.047] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x968fbdc*, pdwDataLen=0x968fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x968fbdc*, pdwDataLen=0x968fcf0*=0x100) returned 1 [0093.048] CryptEncrypt (in: hKey=0x2c9e3c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1e1f0000, pdwDataLen=0x968fcdc*=0x6f420, dwBufLen=0x6f420 | out: pbData=0x1e1f0000*, pdwDataLen=0x968fcdc*=0x6f420) returned 1 [0096.011] UnmapViewOfFile (lpBaseAddress=0x1e1f0000) returned 1 [0096.016] CloseHandle (hObject=0x584) returned 1 [0096.016] CryptDestroyKey (hKey=0x2c9e3c8) returned 1 [0096.016] CryptReleaseContext (hProv=0x1083d410, dwFlags=0x0) returned 1 [0096.016] SetFilePointerEx (in: hFile=0x590, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.016] WriteFile (in: hFile=0x590, lpBuffer=0x968fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x968fcf0, lpOverlapped=0x0 | out: lpBuffer=0x968fbdc*, lpNumberOfBytesWritten=0x968fcf0*=0x100, lpOverlapped=0x0) returned 1 [0096.017] WriteFile (in: hFile=0x590, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x968fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x968fcf0*=0x500, lpOverlapped=0x0) returned 1 [0096.017] CloseHandle (hObject=0x590) returned 1 [0096.035] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0100.996] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0x968fd28 | out: lpFindFileData=0x968fd28) returned 0 [0100.996] FindClose (in: hFindFile=0x5c8f50 | out: hFindFile=0x5c8f50) returned 1 Thread: id = 147 os_tid = 0xecc [0090.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x97cfd28 | out: lpFindFileData=0x97cfd28) returned 0x2c9e7c8 [0092.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.817] FindNextFileW (in: hFindFile=0x2c9e7c8, lpFindFileData=0x97cfd28 | out: lpFindFileData=0x97cfd28) returned 1 [0092.817] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.818] FindNextFileW (in: hFindFile=0x2c9e7c8, lpFindFileData=0x97cfd28 | out: lpFindFileData=0x97cfd28) returned 1 [0092.818] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.818] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.818] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.818] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0092.818] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned 86 [0092.818] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0092.818] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" [0092.818] GlobalMemoryStatus (in: lpBuffer=0x97cfd08 | out: lpBuffer=0x97cfd08) [0092.818] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f0e4c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0092.976] CloseHandle (hObject=0x588) returned 1 [0092.976] FindNextFileW (in: hFindFile=0x2c9e7c8, lpFindFileData=0x97cfd28 | out: lpFindFileData=0x97cfd28) returned 0 [0092.976] FindClose (in: hFindFile=0x2c9e7c8 | out: hFindFile=0x2c9e7c8) returned 1 Thread: id = 148 os_tid = 0x56c [0090.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x990fd28 | out: lpFindFileData=0x990fd28) returned 0x5c8f90 [0090.947] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.947] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x990fd28 | out: lpFindFileData=0x990fd28) returned 1 [0090.947] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.947] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.947] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x990fd28 | out: lpFindFileData=0x990fd28) returned 1 [0092.578] lstrcpyW (in: lpString1=0x89303f8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0092.578] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 75 [0092.578] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" [0092.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\how to restore files.hta")) returned 0xffffffff [0092.579] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0092.584] WriteFile (in: hFile=0x39c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x990fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x990fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.585] CloseHandle (hObject=0x39c) returned 1 [0092.585] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.586] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm") returned -1 [0092.586] lstrlenW (lpString="state.rsm") returned 9 [0092.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0092.586] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 75 [0092.586] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0092.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0092.586] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" [0092.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-br3n0g72wub8cejt.lyas")) returned 1 [0092.689] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x574 [0092.689] CreateFileMappingA (hFile=0x574, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x578 [0092.689] CryptAcquireContextA (in: phProv=0x990fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x990fce4*=0x1083d498) returned 1 [0092.690] CryptGenKey (in: hProv=0x1083d498, Algid=0x6610, dwFlags=0x1, phKey=0x990fce0 | out: phKey=0x990fce0*=0x5c9110) returned 1 [0092.690] CryptExportKey (in: hKey=0x5c9110, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x990fbdc, pdwDataLen=0x990fcdc | out: pbData=0x990fbdc*, pdwDataLen=0x990fcdc*=0x2c) returned 1 [0092.690] MapViewOfFile (hFileMappingObject=0x578, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x6640000 [0092.697] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x990fbdc*, pdwDataLen=0x990fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x990fbdc*, pdwDataLen=0x990fcf0*=0x100) returned 1 [0092.697] CryptEncrypt (in: hKey=0x5c9110, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6640000*, pdwDataLen=0x990fcdc*=0x280, dwBufLen=0x280 | out: pbData=0x6640000*, pdwDataLen=0x990fcdc*=0x280) returned 1 [0092.697] UnmapViewOfFile (lpBaseAddress=0x6640000) returned 1 [0092.697] CloseHandle (hObject=0x578) returned 1 [0092.697] CryptDestroyKey (hKey=0x5c9110) returned 1 [0092.697] CryptReleaseContext (hProv=0x1083d498, dwFlags=0x0) returned 1 [0092.697] SetFilePointerEx (in: hFile=0x574, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.697] WriteFile (in: hFile=0x574, lpBuffer=0x990fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x990fcf0, lpOverlapped=0x0 | out: lpBuffer=0x990fbdc*, lpNumberOfBytesWritten=0x990fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.698] WriteFile (in: hFile=0x574, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x990fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x990fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.698] CloseHandle (hObject=0x574) returned 1 [0092.701] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.702] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x990fd28 | out: lpFindFileData=0x990fd28) returned 1 [0092.702] lstrcpyW (in: lpString1=0x89283f0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0092.704] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 75 [0092.704] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" [0092.704] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\how to restore files.hta")) returned 0x1 [0092.705] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcredist_x64.exe") returned -1 [0092.705] lstrlenW (lpString="vcredist_x64.exe") returned 16 [0092.705] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0092.705] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 75 [0092.705] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0092.705] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0092.705] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS" [0092.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0092.706] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x574 [0092.706] CreateFileMappingA (hFile=0x574, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x578 [0092.706] CryptAcquireContextA (in: phProv=0x990fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x990fce4*=0x1083cb90) returned 1 [0092.707] CryptGenKey (in: hProv=0x1083cb90, Algid=0x6610, dwFlags=0x1, phKey=0x990fce0 | out: phKey=0x990fce0*=0x5c9110) returned 1 [0092.707] CryptExportKey (in: hKey=0x5c9110, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x990fbdc, pdwDataLen=0x990fcdc | out: pbData=0x990fbdc*, pdwDataLen=0x990fcdc*=0x2c) returned 1 [0092.707] MapViewOfFile (hFileMappingObject=0x578, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710a0) returned 0x1de60000 [0093.440] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x990fbdc*, pdwDataLen=0x990fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x990fbdc*, pdwDataLen=0x990fcf0*=0x100) returned 1 [0093.441] CryptEncrypt (in: hKey=0x5c9110, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1de60000, pdwDataLen=0x990fcdc*=0x710a0, dwBufLen=0x710a0 | out: pbData=0x1de60000*, pdwDataLen=0x990fcdc*=0x710a0) returned 1 [0096.484] UnmapViewOfFile (lpBaseAddress=0x1de60000) returned 1 [0096.489] CloseHandle (hObject=0x578) returned 1 [0096.490] CryptDestroyKey (hKey=0x5c9110) returned 1 [0096.490] CryptReleaseContext (hProv=0x1083cb90, dwFlags=0x0) returned 1 [0096.490] SetFilePointerEx (in: hFile=0x574, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.490] WriteFile (in: hFile=0x574, lpBuffer=0x990fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x990fcf0, lpOverlapped=0x0 | out: lpBuffer=0x990fbdc*, lpNumberOfBytesWritten=0x990fcf0*=0x100, lpOverlapped=0x0) returned 1 [0096.503] WriteFile (in: hFile=0x574, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x990fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x990fcf0*=0x500, lpOverlapped=0x0) returned 1 [0096.503] CloseHandle (hObject=0x574) returned 1 [0096.604] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0101.011] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x990fd28 | out: lpFindFileData=0x990fd28) returned 0 [0101.011] FindClose (in: hFindFile=0x5c8f90 | out: hFindFile=0x5c8f90) returned 1 Thread: id = 149 os_tid = 0xd90 [0090.947] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*", lpFindFileData=0x9a4fd28 | out: lpFindFileData=0x9a4fd28) returned 0x5c8fd0 [0090.947] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.947] FindNextFileW (in: hFindFile=0x5c8fd0, lpFindFileData=0x9a4fd28 | out: lpFindFileData=0x9a4fd28) returned 1 [0090.947] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.947] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.947] FindNextFileW (in: hFindFile=0x5c8fd0, lpFindFileData=0x9a4fd28 | out: lpFindFileData=0x9a4fd28) returned 1 [0092.577] lstrcpyW (in: lpString1=0x89283f0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0092.577] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned 75 [0092.577] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" [0092.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\how to restore files.hta")) returned 0xffffffff [0092.577] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0092.580] WriteFile (in: hFile=0x39c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x9a4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x9a4fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.581] CloseHandle (hObject=0x39c) returned 1 [0092.582] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.582] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm") returned -1 [0092.582] lstrlenW (lpString="state.rsm") returned 9 [0092.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0092.582] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned 75 [0092.582] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm" [0092.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm" [0092.582] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" [0092.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-br3n0g72wub8cejt.lyas")) returned 1 [0092.587] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0092.588] CreateFileMappingA (hFile=0x39c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x570 [0092.588] CryptAcquireContextA (in: phProv=0x9a4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9a4fce4*=0x1083d410) returned 1 [0092.588] CryptGenKey (in: hProv=0x1083d410, Algid=0x6610, dwFlags=0x1, phKey=0x9a4fce0 | out: phKey=0x9a4fce0*=0x5c9050) returned 1 [0092.588] CryptExportKey (in: hKey=0x5c9050, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9a4fbdc, pdwDataLen=0x9a4fcdc | out: pbData=0x9a4fbdc*, pdwDataLen=0x9a4fcdc*=0x2c) returned 1 [0092.588] MapViewOfFile (hFileMappingObject=0x570, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2e0) returned 0x6630000 [0092.938] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x9a4fbdc*, pdwDataLen=0x9a4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x9a4fbdc*, pdwDataLen=0x9a4fcf0*=0x100) returned 1 [0092.938] CryptEncrypt (in: hKey=0x5c9050, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6630000*, pdwDataLen=0x9a4fcdc*=0x2e0, dwBufLen=0x2e0 | out: pbData=0x6630000*, pdwDataLen=0x9a4fcdc*=0x2e0) returned 1 [0092.939] UnmapViewOfFile (lpBaseAddress=0x6630000) returned 1 [0092.939] CloseHandle (hObject=0x570) returned 1 [0092.939] CryptDestroyKey (hKey=0x5c9050) returned 1 [0092.939] CryptReleaseContext (hProv=0x1083d410, dwFlags=0x0) returned 1 [0092.939] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.939] WriteFile (in: hFile=0x39c, lpBuffer=0x9a4fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x9a4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x9a4fbdc*, lpNumberOfBytesWritten=0x9a4fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.940] WriteFile (in: hFile=0x39c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x9a4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x9a4fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.940] CloseHandle (hObject=0x39c) returned 1 [0092.967] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\state.rsm id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.967] FindNextFileW (in: hFindFile=0x5c8fd0, lpFindFileData=0x9a4fd28 | out: lpFindFileData=0x9a4fd28) returned 1 [0092.967] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0092.967] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned 75 [0092.967] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" [0092.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\how to restore files.hta")) returned 0x1 [0092.968] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="VC_redist.x86.exe") returned -1 [0092.968] lstrlenW (lpString="VC_redist.x86.exe") returned 17 [0092.968] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0092.968] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned 75 [0092.968] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\", lpString2="VC_redist.x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe" [0092.968] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe" [0092.968] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe id-Br3n0G72wUb8CejT.LyaS" [0092.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\vc_redist.x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\vc_redist.x86.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0092.969] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\VC_redist.x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\vc_redist.x86.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0092.969] CreateFileMappingA (hFile=0x39c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x570 [0092.969] CryptAcquireContextA (in: phProv=0x9a4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9a4fce4*=0x1083d8d8) returned 1 [0092.970] CryptGenKey (in: hProv=0x1083d8d8, Algid=0x6610, dwFlags=0x1, phKey=0x9a4fce0 | out: phKey=0x9a4fce0*=0x2c9e588) returned 1 [0092.970] CryptExportKey (in: hKey=0x2c9e588, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9a4fbdc, pdwDataLen=0x9a4fcdc | out: pbData=0x9a4fbdc*, pdwDataLen=0x9a4fcdc*=0x2c) returned 1 [0092.970] MapViewOfFile (hFileMappingObject=0x570, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x817e0) returned 0x1e160000 [0093.444] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x9a4fbdc*, pdwDataLen=0x9a4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x9a4fbdc*, pdwDataLen=0x9a4fcf0*=0x100) returned 1 [0093.444] CryptEncrypt (in: hKey=0x2c9e588, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1e160000, pdwDataLen=0x9a4fcdc*=0x817e0, dwBufLen=0x817e0 | out: pbData=0x1e160000*, pdwDataLen=0x9a4fcdc*=0x817e0) returned 1 [0098.926] UnmapViewOfFile (lpBaseAddress=0x1e160000) returned 1 [0098.933] CloseHandle (hObject=0x570) returned 1 [0098.933] CryptDestroyKey (hKey=0x2c9e588) returned 1 [0098.933] CryptReleaseContext (hProv=0x1083d8d8, dwFlags=0x0) returned 1 [0098.933] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.933] WriteFile (hFile=0x39c, lpBuffer=0x9a4fbdc, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x9a4fcf0, lpOverlapped=0x0) Thread: id = 150 os_tid = 0xf88 [0090.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x9b8fd28 | out: lpFindFileData=0x9b8fd28) returned 0x108058c8 [0092.575] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.575] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9b8fd28 | out: lpFindFileData=0x9b8fd28) returned 1 [0092.575] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.575] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.575] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9b8fd28 | out: lpFindFileData=0x9b8fd28) returned 1 [0092.575] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.575] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.575] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.575] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0092.575] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned 87 [0092.575] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" [0092.575] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" [0092.575] GlobalMemoryStatus (in: lpBuffer=0x9b8fd08 | out: lpBuffer=0x9b8fd08) [0092.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8940458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x570 [0092.576] CloseHandle (hObject=0x570) returned 1 [0092.576] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9b8fd28 | out: lpFindFileData=0x9b8fd28) returned 0 [0092.576] FindClose (in: hFindFile=0x108058c8 | out: hFindFile=0x108058c8) returned 1 Thread: id = 151 os_tid = 0xfc4 [0090.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x9ccfd28 | out: lpFindFileData=0x9ccfd28) returned 0x108058c8 [0092.573] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.573] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9ccfd28 | out: lpFindFileData=0x9ccfd28) returned 1 [0092.573] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.573] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.573] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9ccfd28 | out: lpFindFileData=0x9ccfd28) returned 1 [0092.573] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.573] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.573] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.573] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0092.573] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned 86 [0092.573] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0092.573] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" [0092.573] GlobalMemoryStatus (in: lpBuffer=0x9ccfd08 | out: lpBuffer=0x9ccfd08) [0092.573] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89584c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x570 [0092.574] CloseHandle (hObject=0x570) returned 1 [0092.574] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9ccfd28 | out: lpFindFileData=0x9ccfd28) returned 0 [0092.574] FindClose (in: hFindFile=0x108058c8 | out: hFindFile=0x108058c8) returned 1 Thread: id = 152 os_tid = 0xb74 [0090.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*", lpFindFileData=0x9e0fd28 | out: lpFindFileData=0x9e0fd28) returned 0x108058c8 [0092.571] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.571] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9e0fd28 | out: lpFindFileData=0x9e0fd28) returned 1 [0092.571] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.571] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9e0fd28 | out: lpFindFileData=0x9e0fd28) returned 1 [0092.571] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.571] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.571] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.571] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*" [0092.571] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*") returned 86 [0092.571] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\packages" [0092.571] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\packages\\*.*" [0092.571] GlobalMemoryStatus (in: lpBuffer=0x9e0fd08 | out: lpBuffer=0x9e0fd08) [0092.571] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8970528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x570 [0092.572] CloseHandle (hObject=0x570) returned 1 [0092.572] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9e0fd28 | out: lpFindFileData=0x9e0fd28) returned 0 [0092.572] FindClose (in: hFindFile=0x108058c8 | out: hFindFile=0x108058c8) returned 1 Thread: id = 153 os_tid = 0x5e4 [0090.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x9f4fd28 | out: lpFindFileData=0x9f4fd28) returned 0x108058c8 [0092.569] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.569] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9f4fd28 | out: lpFindFileData=0x9f4fd28) returned 1 [0092.569] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.569] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9f4fd28 | out: lpFindFileData=0x9f4fd28) returned 1 [0092.569] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.569] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.569] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.569] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0092.569] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned 86 [0092.569] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0092.569] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" [0092.569] GlobalMemoryStatus (in: lpBuffer=0x9f4fd08 | out: lpBuffer=0x9f4fd08) [0092.569] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8988590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x570 [0092.570] CloseHandle (hObject=0x570) returned 1 [0092.570] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x9f4fd28 | out: lpFindFileData=0x9f4fd28) returned 0 [0092.570] FindClose (in: hFindFile=0x108058c8 | out: hFindFile=0x108058c8) returned 1 Thread: id = 154 os_tid = 0x580 [0090.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0xa08fd28 | out: lpFindFileData=0xa08fd28) returned 0x108058c8 [0092.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.566] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0xa08fd28 | out: lpFindFileData=0xa08fd28) returned 1 [0092.566] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.567] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0xa08fd28 | out: lpFindFileData=0xa08fd28) returned 1 [0092.567] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.567] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.567] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0092.567] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned 86 [0092.567] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0092.567] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" [0092.567] GlobalMemoryStatus (in: lpBuffer=0xa08fd08 | out: lpBuffer=0xa08fd08) [0092.567] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8898180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x570 [0092.568] CloseHandle (hObject=0x570) returned 1 [0092.568] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0xa08fd28 | out: lpFindFileData=0xa08fd28) returned 0 [0092.568] FindClose (in: hFindFile=0x108058c8 | out: hFindFile=0x108058c8) returned 1 Thread: id = 155 os_tid = 0x578 [0090.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*", lpFindFileData=0xa1cfd28 | out: lpFindFileData=0xa1cfd28) returned 0x5c9050 [0090.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.950] FindNextFileW (in: hFindFile=0x5c9050, lpFindFileData=0xa1cfd28 | out: lpFindFileData=0xa1cfd28) returned 1 [0090.950] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.950] FindNextFileW (in: hFindFile=0x5c9050, lpFindFileData=0xa1cfd28 | out: lpFindFileData=0xa1cfd28) returned 1 [0092.563] lstrcpyW (in: lpString1=0x89b8660, lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" [0092.563] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned 54 [0092.563] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0092.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0x1 [0092.563] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0092.563] FindNextFileW (in: hFindFile=0x5c9050, lpFindFileData=0xa1cfd28 | out: lpFindFileData=0xa1cfd28) returned 1 [0092.563] lstrcpyW (in: lpString1=0x89b8660, lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" [0092.563] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned 54 [0092.563] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0092.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0x1 [0092.563] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned -1 [0092.563] lstrlenW (lpString="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned 107 [0092.563] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0092.563] FindNextFileW (in: hFindFile=0x5c9050, lpFindFileData=0xa1cfd28 | out: lpFindFileData=0xa1cfd28) returned 1 [0092.563] lstrcpyW (in: lpString1=0x89b8660, lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" [0092.564] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned 54 [0092.564] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0092.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0x1 [0092.564] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned -1 [0092.564] lstrlenW (lpString="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned 103 [0092.564] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0092.564] FindNextFileW (in: hFindFile=0x5c9050, lpFindFileData=0xa1cfd28 | out: lpFindFileData=0xa1cfd28) returned 1 [0092.564] lstrcpyW (in: lpString1=0x89b8660, lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" [0092.564] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned 54 [0092.564] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0092.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0x1 [0092.564] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned -1 [0092.564] lstrlenW (lpString="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag id-Br3n0G72wUb8CejT.LyaS") returned 106 [0092.564] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0092.564] FindNextFileW (in: hFindFile=0x5c9050, lpFindFileData=0xa1cfd28 | out: lpFindFileData=0xa1cfd28) returned 1 [0092.564] lstrcpyW (in: lpString1=0x89b8660, lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" [0092.564] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned 54 [0092.564] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" [0092.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\how to restore files.hta")) returned 0x1 [0092.564] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned -1 [0092.564] lstrlenW (lpString="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned 50 [0092.564] lstrcmpiW (lpString1=".LyaS", lpString2="idtag") returned -1 [0092.564] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" [0092.565] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned 54 [0092.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" [0092.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" [0092.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag id-Br3n0G72wUb8CejT.LyaS" [0092.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag id-br3n0g72wub8cejt.lyas")) returned 0 [0092.565] FindNextFileW (in: hFindFile=0x5c9050, lpFindFileData=0xa1cfd28 | out: lpFindFileData=0xa1cfd28) returned 0 [0092.565] FindClose (in: hFindFile=0x5c9050 | out: hFindFile=0x5c9050) returned 1 Thread: id = 156 os_tid = 0x5cc [0090.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Deleted\\*.*", lpFindFileData=0xa30fd28 | out: lpFindFileData=0xa30fd28) returned 0x5c9090 [0090.951] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.951] FindNextFileW (in: hFindFile=0x5c9090, lpFindFileData=0xa30fd28 | out: lpFindFileData=0xa30fd28) returned 1 [0090.951] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.951] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.951] FindNextFileW (in: hFindFile=0x5c9090, lpFindFileData=0xa30fd28 | out: lpFindFileData=0xa30fd28) returned 0 [0090.951] FindClose (in: hFindFile=0x5c9090 | out: hFindFile=0x5c9090) returned 1 Thread: id = 157 os_tid = 0x5d8 [0090.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0xa44fd28 | out: lpFindFileData=0xa44fd28) returned 0x10805488 [0092.558] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.558] FindNextFileW (in: hFindFile=0x10805488, lpFindFileData=0xa44fd28 | out: lpFindFileData=0xa44fd28) returned 1 [0092.558] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.558] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.558] FindNextFileW (in: hFindFile=0x10805488, lpFindFileData=0xa44fd28 | out: lpFindFileData=0xa44fd28) returned 1 [0092.559] lstrcpyW (in: lpString1=0x8bf0fc8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\*.*" [0092.559] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\*.*") returned 84 [0092.559] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_10.0.0.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_10.0.0.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.349] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa44fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa44fcf0, lpOverlapped=0x0) returned 0 [0094.349] CloseHandle (hObject=0xffffffff) returned 1 [0094.349] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 158 os_tid = 0xb90 [0091.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xa58fd28 | out: lpFindFileData=0xa58fd28) returned 0x2c9e4c8 [0093.225] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.225] FindNextFileW (in: hFindFile=0x2c9e4c8, lpFindFileData=0xa58fd28 | out: lpFindFileData=0xa58fd28) returned 1 [0093.225] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.226] FindNextFileW (in: hFindFile=0x2c9e4c8, lpFindFileData=0xa58fd28 | out: lpFindFileData=0xa58fd28) returned 1 [0094.179] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" [0094.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0094.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0094.179] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.179] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.363] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa58fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa58fcf0, lpOverlapped=0x0) returned 0 [0094.363] CloseHandle (hObject=0xffffffff) returned 1 [0094.363] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.738] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.738] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.739] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.739] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0095.739] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.739] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.739] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.377] FindNextFileW (in: hFindFile=0x2c9e4c8, lpFindFileData=0xa58fd28 | out: lpFindFileData=0xa58fd28) returned 1 [0096.377] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0096.377] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0096.377] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.129] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0097.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0097.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.129] GlobalMemoryStatus (in: lpBuffer=0xa58fd08 | out: lpBuffer=0xa58fd08) [0097.129] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x108789d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4fc [0097.130] CloseHandle (hObject=0x4fc) returned 1 [0097.130] FindNextFileW (in: hFindFile=0x2c9e4c8, lpFindFileData=0xa58fd28 | out: lpFindFileData=0xa58fd28) returned 1 [0097.130] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0097.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.130] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.131] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa58fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa58fcf0, lpOverlapped=0x0) returned 0 [0097.131] CloseHandle (hObject=0xffffffff) returned 1 [0097.131] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.131] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.131] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0097.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.132] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.132] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.959] FindNextFileW (in: hFindFile=0x2c9e4c8, lpFindFileData=0xa58fd28 | out: lpFindFileData=0xa58fd28) returned 1 [0097.959] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.959] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.959] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.984] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0097.984] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.984] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.984] GlobalMemoryStatus (in: lpBuffer=0xa58fd08 | out: lpBuffer=0xa58fd08) [0097.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x215a1b00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0097.985] CloseHandle (hObject=0x4f8) returned 1 [0097.985] FindNextFileW (in: hFindFile=0x2c9e4c8, lpFindFileData=0xa58fd28 | out: lpFindFileData=0xa58fd28) returned 0 [0097.985] FindClose (in: hFindFile=0x2c9e4c8 | out: hFindFile=0x2c9e4c8) returned 1 Thread: id = 159 os_tid = 0xba4 [0091.177] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*", lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 0x2c9e548 [0094.178] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.178] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0094.178] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.178] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.178] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0094.178] lstrcpyW (in: lpString1=0x3f20850, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0094.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0094.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.178] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.363] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0) returned 0 [0094.363] CloseHandle (hObject=0xffffffff) returned 1 [0094.363] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.740] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.740] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.741] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0095.741] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0095.741] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.741] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.741] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.375] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0097.184] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0097.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0097.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.184] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.184] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.184] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0) returned 0 [0097.184] CloseHandle (hObject=0xffffffff) returned 1 [0097.184] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.185] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.185] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.185] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0097.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0097.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml" [0097.185] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml" [0097.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.185] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0097.185] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0097.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0097.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.186] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.186] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.186] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0) returned 0 [0097.186] CloseHandle (hObject=0xffffffff) returned 1 [0097.186] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.186] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.186] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0097.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0097.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0098.130] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0098.130] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0098.130] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0098.130] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0098.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0098.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0098.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\css") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\css" [0098.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\css\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\css\\*.*" [0098.130] GlobalMemoryStatus (in: lpBuffer=0xa6cfd08 | out: lpBuffer=0xa6cfd08) [0098.130] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ce1b60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x480 [0098.131] CloseHandle (hObject=0x480) returned 1 [0098.131] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0098.131] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0098.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0098.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.132] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.132] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0) returned 0 [0098.132] CloseHandle (hObject=0xffffffff) returned 1 [0098.132] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.133] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="default.html") returned 1 [0098.133] lstrlenW (lpString="default.html") returned 12 [0098.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0098.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0098.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="default.html" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html" [0098.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html" [0098.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html id-Br3n0G72wUb8CejT.LyaS" [0098.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\default.html id-br3n0g72wub8cejt.lyas")) returned 0 [0098.133] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0098.133] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0098.133] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0098.133] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0098.140] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0098.140] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0098.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\images") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\images" [0098.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\images\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\images\\*.*" [0098.140] GlobalMemoryStatus (in: lpBuffer=0xa6cfd08 | out: lpBuffer=0xa6cfd08) [0098.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21661e40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x480 [0098.141] CloseHandle (hObject=0x480) returned 1 [0098.141] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0098.141] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0098.141] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0098.141] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0098.146] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0098.146] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0098.146] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\js") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\js" [0098.146] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\js\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\js\\*.*" [0098.146] GlobalMemoryStatus (in: lpBuffer=0xa6cfd08 | out: lpBuffer=0xa6cfd08) [0098.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21679ea8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x480 [0098.147] CloseHandle (hObject=0x480) returned 1 [0098.147] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0098.147] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0098.147] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0098.147] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0098.152] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0098.153] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0098.153] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0098.153] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0098.153] GlobalMemoryStatus (in: lpBuffer=0xa6cfd08 | out: lpBuffer=0xa6cfd08) [0098.153] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21691f10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x480 [0098.154] CloseHandle (hObject=0x480) returned 1 [0098.154] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 1 [0098.154] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0098.154] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0098.154] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.154] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.154] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.155] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa6cfcf0, lpOverlapped=0x0) returned 0 [0098.155] CloseHandle (hObject=0xffffffff) returned 1 [0098.155] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.155] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="resources.pri") returned -1 [0098.155] lstrlenW (lpString="resources.pri") returned 13 [0098.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*" [0098.155] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*.*") returned 90 [0098.155] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\", lpString2="resources.pri" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri" [0098.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri" [0098.155] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS" [0098.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\resources.pri id-br3n0g72wub8cejt.lyas")) returned 0 [0098.156] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0xa6cfd28 | out: lpFindFileData=0xa6cfd28) returned 0 [0098.156] FindClose (in: hFindFile=0x2c9e548 | out: hFindFile=0x2c9e548) returned 1 Thread: id = 160 os_tid = 0x9b4 [0091.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xa80fd28 | out: lpFindFileData=0xa80fd28) returned 0x2c9ee08 [0093.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.440] FindNextFileW (in: hFindFile=0x2c9ee08, lpFindFileData=0xa80fd28 | out: lpFindFileData=0xa80fd28) returned 1 [0093.469] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.469] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.469] FindNextFileW (in: hFindFile=0x2c9ee08, lpFindFileData=0xa80fd28 | out: lpFindFileData=0xa80fd28) returned 1 [0093.469] lstrcpyW (in: lpString1=0x89c8670, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 98 [0093.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.470] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 161 os_tid = 0x8e0 [0091.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xa94fd28 | out: lpFindFileData=0xa94fd28) returned 0x2c9f188 [0093.419] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.419] FindNextFileW (in: hFindFile=0x2c9f188, lpFindFileData=0xa94fd28 | out: lpFindFileData=0xa94fd28) returned 1 [0093.709] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.709] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.709] FindNextFileW (in: hFindFile=0x2c9f188, lpFindFileData=0xa94fd28 | out: lpFindFileData=0xa94fd28) returned 1 [0093.713] lstrcpyW (in: lpString1=0x20f88520, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0093.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.713] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.713] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.845] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa94fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa94fcf0, lpOverlapped=0x0) returned 0 [0095.845] CloseHandle (hObject=0xffffffff) returned 1 [0095.845] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.846] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.846] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.846] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.846] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0095.846] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.846] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.846] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.024] FindNextFileW (in: hFindFile=0x2c9f188, lpFindFileData=0xa94fd28 | out: lpFindFileData=0xa94fd28) returned 1 [0097.024] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.024] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.024] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.024] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0097.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0097.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.024] GlobalMemoryStatus (in: lpBuffer=0xa94fd08 | out: lpBuffer=0xa94fd08) [0097.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a41000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x538 [0097.025] CloseHandle (hObject=0x538) returned 1 [0097.025] FindNextFileW (in: hFindFile=0x2c9f188, lpFindFileData=0xa94fd28 | out: lpFindFileData=0xa94fd28) returned 1 [0097.025] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.025] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0097.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.026] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.026] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xa94fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa94fcf0, lpOverlapped=0x0) returned 0 [0097.026] CloseHandle (hObject=0xffffffff) returned 1 [0097.026] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.027] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.027] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.027] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0097.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.100] FindNextFileW (in: hFindFile=0x2c9f188, lpFindFileData=0xa94fd28 | out: lpFindFileData=0xa94fd28) returned 1 [0097.100] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.101] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.101] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0097.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.106] GlobalMemoryStatus (in: lpBuffer=0xa94fd08 | out: lpBuffer=0xa94fd08) [0097.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x107888d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0097.107] CloseHandle (hObject=0x524) returned 1 [0097.107] FindNextFileW (in: hFindFile=0x2c9f188, lpFindFileData=0xa94fd28 | out: lpFindFileData=0xa94fd28) returned 0 [0097.107] FindClose (in: hFindFile=0x2c9f188 | out: hFindFile=0x2c9f188) returned 1 Thread: id = 162 os_tid = 0xb60 [0091.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\*.*", lpFindFileData=0xaa8fd28 | out: lpFindFileData=0xaa8fd28) returned 0x10805048 [0091.952] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.952] FindNextFileW (in: hFindFile=0x10805048, lpFindFileData=0xaa8fd28 | out: lpFindFileData=0xaa8fd28) returned 1 [0091.952] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.952] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.952] FindNextFileW (in: hFindFile=0x10805048, lpFindFileData=0xaa8fd28 | out: lpFindFileData=0xaa8fd28) returned 1 [0091.952] lstrcpyW (in: lpString1=0x8af8bb0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" [0091.952] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned 87 [0091.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0091.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.3.193.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.952] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_4.3.193.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.352] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xaa8fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xaa8fcf0, lpOverlapped=0x0) returned 0 [0094.352] CloseHandle (hObject=0xffffffff) returned 1 [0094.352] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 163 os_tid = 0x9b8 [0091.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xabcfd28 | out: lpFindFileData=0xabcfd28) returned 0x2c9f248 [0093.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.421] FindNextFileW (in: hFindFile=0x2c9f248, lpFindFileData=0xabcfd28 | out: lpFindFileData=0xabcfd28) returned 1 [0093.674] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.674] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.674] FindNextFileW (in: hFindFile=0x2c9f248, lpFindFileData=0xabcfd28 | out: lpFindFileData=0xabcfd28) returned 1 [0093.678] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.678] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0093.678] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.678] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.853] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xabcfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xabcfcf0, lpOverlapped=0x0) returned 0 [0095.853] CloseHandle (hObject=0xffffffff) returned 1 [0095.853] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.854] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.854] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0095.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.855] FindNextFileW (in: hFindFile=0x2c9f248, lpFindFileData=0xabcfd28 | out: lpFindFileData=0xabcfd28) returned 1 [0095.855] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0095.855] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0095.855] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0095.856] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0095.856] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0095.856] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0095.856] GlobalMemoryStatus (in: lpBuffer=0xabcfd08 | out: lpBuffer=0xabcfd08) [0095.856] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10b915b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c0 [0095.857] CloseHandle (hObject=0x5c0) returned 1 [0095.857] FindNextFileW (in: hFindFile=0x2c9f248, lpFindFileData=0xabcfd28 | out: lpFindFileData=0xabcfd28) returned 1 [0095.857] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.857] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0095.857] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0095.857] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0095.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.858] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xabcfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xabcfcf0, lpOverlapped=0x0) returned 0 [0095.858] CloseHandle (hObject=0xffffffff) returned 1 [0095.858] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.858] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0095.858] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0095.858] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.858] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0095.858] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0095.858] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0095.859] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0095.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0095.866] FindNextFileW (in: hFindFile=0x2c9f248, lpFindFileData=0xabcfd28 | out: lpFindFileData=0xabcfd28) returned 1 [0095.866] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0095.866] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0095.866] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0095.866] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.867] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0095.867] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0095.867] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0095.867] GlobalMemoryStatus (in: lpBuffer=0xabcfd08 | out: lpBuffer=0xabcfd08) [0095.867] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c99a28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x508 [0095.868] CloseHandle (hObject=0x508) returned 1 [0095.868] FindNextFileW (in: hFindFile=0x2c9f248, lpFindFileData=0xabcfd28 | out: lpFindFileData=0xabcfd28) returned 0 [0095.868] FindClose (in: hFindFile=0x2c9f248 | out: hFindFile=0x2c9f248) returned 1 Thread: id = 164 os_tid = 0x8d4 [0091.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\*.*", lpFindFileData=0xad0fd28 | out: lpFindFileData=0xad0fd28) returned 0x10804f48 [0091.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.950] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xad0fd28 | out: lpFindFileData=0xad0fd28) returned 1 [0091.950] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.950] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xad0fd28 | out: lpFindFileData=0xad0fd28) returned 1 [0091.950] lstrcpyW (in: lpString1=0x8af0ba8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" [0091.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned 84 [0091.950] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0091.950] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.3.193.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_4.3.193.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.353] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xad0fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xad0fcf0, lpOverlapped=0x0) returned 0 [0094.353] CloseHandle (hObject=0xffffffff) returned 1 [0094.353] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 165 os_tid = 0x958 [0091.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xae4fd28 | out: lpFindFileData=0xae4fd28) returned 0x2c9ecc8 [0093.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.418] FindNextFileW (in: hFindFile=0x2c9ecc8, lpFindFileData=0xae4fd28 | out: lpFindFileData=0xae4fd28) returned 1 [0093.718] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.718] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.718] FindNextFileW (in: hFindFile=0x2c9ecc8, lpFindFileData=0xae4fd28 | out: lpFindFileData=0xae4fd28) returned 1 [0093.722] lstrcpyW (in: lpString1=0x20fb0530, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.722] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0093.722] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.722] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.722] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.843] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xae4fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xae4fcf0, lpOverlapped=0x0) returned 0 [0095.843] CloseHandle (hObject=0xffffffff) returned 1 [0095.843] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.844] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.844] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.844] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.844] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0095.844] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.844] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.844] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.922] FindNextFileW (in: hFindFile=0x2c9ecc8, lpFindFileData=0xae4fd28 | out: lpFindFileData=0xae4fd28) returned 1 [0095.922] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0095.922] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0095.922] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 Thread: id = 166 os_tid = 0xba8 [0091.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\*.*", lpFindFileData=0xaf8fd28 | out: lpFindFileData=0xaf8fd28) returned 0x10805148 [0091.980] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.980] FindNextFileW (in: hFindFile=0x10805148, lpFindFileData=0xaf8fd28 | out: lpFindFileData=0xaf8fd28) returned 1 [0091.981] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.981] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.981] FindNextFileW (in: hFindFile=0x10805148, lpFindFileData=0xaf8fd28 | out: lpFindFileData=0xaf8fd28) returned 1 [0091.981] lstrcpyW (in: lpString1=0x10d95e48, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" [0091.981] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned 86 [0091.981] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0091.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.3.193.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingsports_4.3.193.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.354] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xaf8fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xaf8fcf0, lpOverlapped=0x0) returned 0 [0094.354] CloseHandle (hObject=0xffffffff) returned 1 [0094.354] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 167 os_tid = 0xb70 [0091.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xb0cfd28 | out: lpFindFileData=0xb0cfd28) returned 0x2c9ed08 [0093.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.420] FindNextFileW (in: hFindFile=0x2c9ed08, lpFindFileData=0xb0cfd28 | out: lpFindFileData=0xb0cfd28) returned 1 [0093.700] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.700] FindNextFileW (in: hFindFile=0x2c9ed08, lpFindFileData=0xb0cfd28 | out: lpFindFileData=0xb0cfd28) returned 1 [0093.704] lstrcpyW (in: lpString1=0x20f60510, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.704] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0093.704] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.704] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.704] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.848] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xb0cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xb0cfcf0, lpOverlapped=0x0) returned 0 [0095.848] CloseHandle (hObject=0xffffffff) returned 1 [0095.848] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.848] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.848] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.848] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.848] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 96 [0095.848] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.848] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.848] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.921] FindNextFileW (in: hFindFile=0x2c9ed08, lpFindFileData=0xb0cfd28 | out: lpFindFileData=0xb0cfd28) returned 1 [0095.921] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0095.922] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0095.922] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 Thread: id = 168 os_tid = 0xbac [0091.947] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0xb20fd28 | out: lpFindFileData=0xb20fd28) returned 0x10804fc8 [0092.512] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.512] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0xb20fd28 | out: lpFindFileData=0xb20fd28) returned 1 [0092.512] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.512] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0xb20fd28 | out: lpFindFileData=0xb20fd28) returned 1 [0092.512] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.512] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.512] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0092.513] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned 86 [0092.513] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0092.513] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" [0092.513] GlobalMemoryStatus (in: lpBuffer=0xb20fd08 | out: lpBuffer=0xb20fd08) [0092.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b98e80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0092.513] CloseHandle (hObject=0x398) returned 1 [0092.513] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0xb20fd28 | out: lpFindFileData=0xb20fd28) returned 0 [0092.513] FindClose (in: hFindFile=0x10804fc8 | out: hFindFile=0x10804fc8) returned 1 Thread: id = 169 os_tid = 0xf6c [0091.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\*.*", lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 0x10804f48 [0091.947] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.947] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0091.947] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.947] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.947] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 0 [0091.947] FindClose (in: hFindFile=0x10804f48 | out: hFindFile=0x10804f48) returned 1 Thread: id = 170 os_tid = 0xf80 [0091.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Start Menu\\*.*", lpFindFileData=0xb48fd28 | out: lpFindFileData=0xb48fd28) returned 0xffffffff Thread: id = 171 os_tid = 0xfc0 [0091.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Templates\\*.*", lpFindFileData=0xb5cfd28 | out: lpFindFileData=0xb5cfd28) returned 0xffffffff Thread: id = 172 os_tid = 0xf84 [0091.943] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*.*", lpFindFileData=0xb70fd28 | out: lpFindFileData=0xb70fd28) returned 0x10804f48 [0091.943] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.943] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xb70fd28 | out: lpFindFileData=0xb70fd28) returned 1 [0091.943] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.943] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.943] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xb70fd28 | out: lpFindFileData=0xb70fd28) returned 1 [0091.943] lstrcmpW (lpString1=".", lpString2="UpdateStore") returned -1 [0091.943] lstrcmpW (lpString1="..", lpString2="UpdateStore") returned -1 [0091.943] lstrcmpiW (lpString1="windows", lpString2="UpdateStore") returned 1 [0091.943] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*.*") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*.*" [0091.943] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*.*") returned 37 [0091.943] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\", lpString2="UpdateStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore" [0091.943] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*" [0091.943] GlobalMemoryStatus (in: lpBuffer=0xb70fd08 | out: lpBuffer=0xb70fd08) [0091.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b50d48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x488 [0091.944] CloseHandle (hObject=0x488) returned 1 [0091.944] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xb70fd28 | out: lpFindFileData=0xb70fd28) returned 0 [0091.944] FindClose (in: hFindFile=0x10804f48 | out: hFindFile=0x10804f48) returned 1 Thread: id = 173 os_tid = 0xf70 [0091.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\*.*", lpFindFileData=0xb84fd28 | out: lpFindFileData=0xb84fd28) returned 0x10804f48 [0091.938] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.938] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xb84fd28 | out: lpFindFileData=0xb84fd28) returned 1 [0091.938] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.938] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.938] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xb84fd28 | out: lpFindFileData=0xb84fd28) returned 1 [0091.938] lstrcmpW (lpString1=".", lpString2="Logs") returned -1 [0091.938] lstrcmpW (lpString1="..", lpString2="Logs") returned -1 [0091.938] lstrcmpiW (lpString1="windows", lpString2="Logs") returned 1 [0091.941] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\USOShared\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\*.*") returned="\\\\?\\C:\\Users\\All Users\\USOShared\\*.*" [0091.941] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\USOShared\\*.*") returned 36 [0091.941] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\", lpString2="Logs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs") returned="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs" [0091.941] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\*.*" [0091.941] GlobalMemoryStatus (in: lpBuffer=0xb84fd08 | out: lpBuffer=0xb84fd08) [0091.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1129f430, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x488 [0091.942] CloseHandle (hObject=0x488) returned 1 [0091.942] FindNextFileW (in: hFindFile=0x10804f48, lpFindFileData=0xb84fd28 | out: lpFindFileData=0xb84fd28) returned 0 [0091.942] FindClose (in: hFindFile=0x10804f48 | out: hFindFile=0x10804f48) returned 1 Thread: id = 174 os_tid = 0xf68 [0091.937] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*", lpFindFileData=0xb98fd28 | out: lpFindFileData=0xb98fd28) returned 0x10804f08 [0092.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.454] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xb98fd28 | out: lpFindFileData=0xb98fd28) returned 1 [0092.455] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.455] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.455] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xb98fd28 | out: lpFindFileData=0xb98fd28) returned 1 [0092.455] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.455] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.455] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*" [0092.455] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*") returned 86 [0092.455] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages" [0092.455] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\*.*" [0092.455] GlobalMemoryStatus (in: lpBuffer=0xb98fd08 | out: lpBuffer=0xb98fd08) [0092.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5cd8dc8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4ec [0092.458] CloseHandle (hObject=0x4ec) returned 1 [0092.458] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xb98fd28 | out: lpFindFileData=0xb98fd28) returned 0 [0092.458] FindClose (in: hFindFile=0x10804f08 | out: hFindFile=0x10804f08) returned 1 Thread: id = 175 os_tid = 0xfb0 [0091.936] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0xbacfd28 | out: lpFindFileData=0xbacfd28) returned 0x10804f08 [0092.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.459] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xbacfd28 | out: lpFindFileData=0xbacfd28) returned 1 [0092.459] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.459] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xbacfd28 | out: lpFindFileData=0xbacfd28) returned 1 [0092.459] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0092.459] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 75 [0092.459] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\How To Restore Files.hta" [0092.459] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\how to restore files.hta")) returned 0xffffffff [0092.459] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0092.462] WriteFile (in: hFile=0x4ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xbacfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xbacfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.463] CloseHandle (hObject=0x4ec) returned 1 [0092.463] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.464] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm") returned -1 [0092.464] lstrlenW (lpString="state.rsm") returned 9 [0092.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0092.464] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 75 [0092.464] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0092.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0092.464] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" [0092.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-br3n0g72wub8cejt.lyas")) returned 1 [0092.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0092.466] CreateFileMappingA (hFile=0x4ec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4f0 [0092.466] CryptAcquireContextA (in: phProv=0xbacfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbacfce4*=0x1083d9e8) returned 1 [0092.467] CryptGenKey (in: hProv=0x1083d9e8, Algid=0x6610, dwFlags=0x1, phKey=0xbacfce0 | out: phKey=0xbacfce0*=0x10804b88) returned 1 [0092.467] CryptExportKey (in: hKey=0x10804b88, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbacfbdc, pdwDataLen=0xbacfcdc | out: pbData=0xbacfbdc*, pdwDataLen=0xbacfcdc*=0x2c) returned 1 [0092.467] MapViewOfFile (hFileMappingObject=0x4f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x64e0000 [0093.398] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbacfbdc*, pdwDataLen=0xbacfcf0*=0x40, dwBufLen=0x100 | out: pbData=0xbacfbdc*, pdwDataLen=0xbacfcf0*=0x100) returned 1 [0093.398] CryptEncrypt (in: hKey=0x10804b88, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000*, pdwDataLen=0xbacfcdc*=0x280, dwBufLen=0x280 | out: pbData=0x64e0000*, pdwDataLen=0xbacfcdc*=0x280) returned 1 [0093.815] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0093.815] CloseHandle (hObject=0x4f0) returned 1 [0093.815] CryptDestroyKey (hKey=0x10804b88) returned 1 [0093.815] CryptReleaseContext (hProv=0x1083d9e8, dwFlags=0x0) returned 1 [0093.815] SetFilePointerEx (in: hFile=0x4ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.815] WriteFile (in: hFile=0x4ec, lpBuffer=0xbacfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbacfcf0, lpOverlapped=0x0 | out: lpBuffer=0xbacfbdc*, lpNumberOfBytesWritten=0xbacfcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.555] WriteFile (in: hFile=0x4ec, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbacfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xbacfcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.555] CloseHandle (hObject=0x4ec) returned 1 [0094.560] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0096.629] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xbacfd28 | out: lpFindFileData=0xbacfd28) returned 1 [0097.005] lstrcpyW (in: lpString1=0x3df0328, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0097.005] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 75 [0097.005] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\How To Restore Files.hta" [0097.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\how to restore files.hta")) returned 0x1 [0097.005] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcredist_x64.exe") returned -1 [0097.005] lstrlenW (lpString="vcredist_x64.exe") returned 16 [0097.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0097.005] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 75 [0097.005] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0097.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0097.006] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS" [0097.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe id-br3n0g72wub8cejt.lyas")) Thread: id = 176 os_tid = 0xfb8 [0091.936] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0xbc0fd28 | out: lpFindFileData=0xbc0fd28) returned 0x10804ac8 [0092.479] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.479] FindNextFileW (in: hFindFile=0x10804ac8, lpFindFileData=0xbc0fd28 | out: lpFindFileData=0xbc0fd28) returned 1 [0092.479] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.479] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.479] FindNextFileW (in: hFindFile=0x10804ac8, lpFindFileData=0xbc0fd28 | out: lpFindFileData=0xbc0fd28) returned 1 [0092.479] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.479] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.479] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0092.481] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned 86 [0092.481] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0092.481] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" [0092.482] GlobalMemoryStatus (in: lpBuffer=0xbc0fd08 | out: lpBuffer=0xbc0fd08) [0092.510] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3f087e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0092.510] CloseHandle (hObject=0x398) returned 1 [0092.510] FindNextFileW (in: hFindFile=0x10804ac8, lpFindFileData=0xbc0fd28 | out: lpFindFileData=0xbc0fd28) returned 0 [0092.510] FindClose (in: hFindFile=0x10804ac8 | out: hFindFile=0x10804ac8) returned 1 Thread: id = 177 os_tid = 0xfbc [0091.936] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0xbd4fd28 | out: lpFindFileData=0xbd4fd28) returned 0x10804fc8 [0092.511] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.511] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0xbd4fd28 | out: lpFindFileData=0xbd4fd28) returned 1 [0092.511] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.511] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.511] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0xbd4fd28 | out: lpFindFileData=0xbd4fd28) returned 1 [0092.511] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.511] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.511] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0092.511] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned 87 [0092.511] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" [0092.511] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" [0092.511] GlobalMemoryStatus (in: lpBuffer=0xbd4fd08 | out: lpBuffer=0xbd4fd08) [0092.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b80e18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0092.512] CloseHandle (hObject=0x398) returned 1 [0092.512] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0xbd4fd28 | out: lpFindFileData=0xbd4fd28) returned 0 [0092.512] FindClose (in: hFindFile=0x10804fc8 | out: hFindFile=0x10804fc8) returned 1 Thread: id = 178 os_tid = 0xfd0 [0091.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0xbe8fd28 | out: lpFindFileData=0xbe8fd28) returned 0x5c8b10 [0091.167] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.167] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0xbe8fd28 | out: lpFindFileData=0xbe8fd28) returned 1 [0091.167] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.167] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.167] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0xbe8fd28 | out: lpFindFileData=0xbe8fd28) returned 1 [0091.167] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0091.167] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 75 [0091.167] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" [0091.167] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\how to restore files.hta")) returned 0xffffffff [0091.168] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0091.169] WriteFile (in: hFile=0x36c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xbe8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xbe8fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.170] CloseHandle (hObject=0x36c) returned 1 [0091.171] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.171] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm") returned -1 [0091.171] lstrlenW (lpString="state.rsm") returned 9 [0091.171] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0091.171] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 75 [0091.171] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0091.171] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0091.171] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" [0091.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-br3n0g72wub8cejt.lyas")) returned 1 [0091.173] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0091.173] CreateFileMappingA (hFile=0x36c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2ec [0091.173] CryptAcquireContextA (in: phProv=0xbe8fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbe8fce4*=0x5d1140) returned 1 [0091.173] CryptGenKey (in: hProv=0x5d1140, Algid=0x6610, dwFlags=0x1, phKey=0xbe8fce0 | out: phKey=0xbe8fce0*=0x5c8b50) returned 1 [0091.174] CryptExportKey (in: hKey=0x5c8b50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbe8fbdc, pdwDataLen=0xbe8fcdc | out: pbData=0xbe8fbdc*, pdwDataLen=0xbe8fcdc*=0x2c) returned 1 [0091.174] MapViewOfFile (hFileMappingObject=0x2ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2e0) returned 0x4e40000 [0091.188] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbe8fbdc*, pdwDataLen=0xbe8fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xbe8fbdc*, pdwDataLen=0xbe8fcf0*=0x100) returned 1 [0091.188] CryptEncrypt (in: hKey=0x5c8b50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4e40000*, pdwDataLen=0xbe8fcdc*=0x2e0, dwBufLen=0x2e0 | out: pbData=0x4e40000*, pdwDataLen=0xbe8fcdc*=0x2e0) returned 1 [0091.188] UnmapViewOfFile (lpBaseAddress=0x4e40000) returned 1 [0091.188] CloseHandle (hObject=0x2ec) returned 1 [0091.188] CryptDestroyKey (hKey=0x5c8b50) returned 1 [0091.188] CryptReleaseContext (hProv=0x5d1140, dwFlags=0x0) returned 1 [0091.188] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.188] WriteFile (in: hFile=0x36c, lpBuffer=0xbe8fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbe8fcf0, lpOverlapped=0x0 | out: lpBuffer=0xbe8fbdc*, lpNumberOfBytesWritten=0xbe8fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.189] WriteFile (in: hFile=0x36c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbe8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xbe8fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.189] CloseHandle (hObject=0x36c) returned 1 [0091.190] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.190] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0xbe8fd28 | out: lpFindFileData=0xbe8fd28) returned 1 [0091.190] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0091.190] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 75 [0091.190] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" [0091.190] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\how to restore files.hta")) returned 0x1 [0091.190] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="VC_redist.x64.exe") returned -1 [0091.190] lstrlenW (lpString="VC_redist.x64.exe") returned 17 [0091.190] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0091.191] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 75 [0091.191] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="VC_redist.x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0091.191] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0091.191] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe id-Br3n0G72wUb8CejT.LyaS" [0091.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.191] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0091.192] CreateFileMappingA (hFile=0x36c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2ec [0091.192] CryptAcquireContextA (in: phProv=0xbe8fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbe8fce4*=0x5d1470) returned 1 [0091.192] CryptGenKey (in: hProv=0x5d1470, Algid=0x6610, dwFlags=0x1, phKey=0xbe8fce0 | out: phKey=0xbe8fce0*=0x5c8c50) returned 1 [0091.192] CryptExportKey (in: hKey=0x5c8c50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbe8fbdc, pdwDataLen=0xbe8fcdc | out: pbData=0xbe8fbdc*, pdwDataLen=0xbe8fcdc*=0x2c) returned 1 [0091.192] MapViewOfFile (hFileMappingObject=0x2ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbee20) returned 0x2ac0000 [0091.374] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbe8fbdc*, pdwDataLen=0xbe8fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xbe8fbdc*, pdwDataLen=0xbe8fcf0*=0x100) returned 1 [0091.375] CryptEncrypt (in: hKey=0x5c8c50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2ac0000, pdwDataLen=0xbe8fcdc*=0xbee20, dwBufLen=0xbee20 | out: pbData=0x2ac0000*, pdwDataLen=0xbe8fcdc*=0xbee20) returned 1 [0096.805] UnmapViewOfFile (lpBaseAddress=0x2ac0000) returned 1 [0096.813] CloseHandle (hObject=0x2ec) returned 1 [0096.813] CryptDestroyKey (hKey=0x5c8c50) returned 1 [0096.980] CryptReleaseContext (hProv=0x5d1470, dwFlags=0x0) returned 1 [0096.980] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.980] WriteFile (in: hFile=0x36c, lpBuffer=0xbe8fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbe8fcf0, lpOverlapped=0x0 | out: lpBuffer=0xbe8fbdc*, lpNumberOfBytesWritten=0xbe8fcf0*=0x100, lpOverlapped=0x0) returned 1 [0100.915] WriteFile (in: hFile=0x36c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbe8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xbe8fcf0*=0x500, lpOverlapped=0x0) returned 1 [0100.915] CloseHandle (hObject=0x36c) returned 1 [0100.986] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0100.987] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0xbe8fd28 | out: lpFindFileData=0xbe8fd28) returned 0 [0100.987] FindClose (in: hFindFile=0x5c8b10 | out: hFindFile=0x5c8b10) returned 1 Thread: id = 179 os_tid = 0xfb4 [0090.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0xbfcfd28 | out: lpFindFileData=0xbfcfd28) returned 0x5c9110 [0090.957] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.957] FindNextFileW (in: hFindFile=0x5c9110, lpFindFileData=0xbfcfd28 | out: lpFindFileData=0xbfcfd28) returned 1 [0090.958] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.958] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.958] FindNextFileW (in: hFindFile=0x5c9110, lpFindFileData=0xbfcfd28 | out: lpFindFileData=0xbfcfd28) returned 1 [0092.405] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0092.405] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 75 [0092.406] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" [0092.406] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\how to restore files.hta")) returned 0xffffffff [0092.406] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0092.415] WriteFile (in: hFile=0x398, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xbfcfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xbfcfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.417] CloseHandle (hObject=0x398) returned 1 [0092.417] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.418] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm") returned -1 [0092.418] lstrlenW (lpString="state.rsm") returned 9 [0092.419] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0092.419] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 75 [0092.419] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0092.419] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0092.419] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" [0092.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm id-br3n0g72wub8cejt.lyas")) returned 1 [0092.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0092.422] CreateFileMappingA (hFile=0x398, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3dc [0092.422] CryptAcquireContextA (in: phProv=0xbfcfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbfcfce4*=0x5d1140) returned 1 [0092.423] CryptGenKey (in: hProv=0x5d1140, Algid=0x6610, dwFlags=0x1, phKey=0xbfcfce0 | out: phKey=0xbfcfce0*=0x10804988) returned 1 [0092.423] CryptExportKey (in: hKey=0x10804988, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbfcfbdc, pdwDataLen=0xbfcfcdc | out: pbData=0xbfcfbdc*, pdwDataLen=0xbfcfcdc*=0x2c) returned 1 [0092.423] MapViewOfFile (hFileMappingObject=0x3dc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x64e0000 [0092.427] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbfcfbdc*, pdwDataLen=0xbfcfcf0*=0x40, dwBufLen=0x100 | out: pbData=0xbfcfbdc*, pdwDataLen=0xbfcfcf0*=0x100) returned 1 [0092.428] CryptEncrypt (in: hKey=0x10804988, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000*, pdwDataLen=0xbfcfcdc*=0x280, dwBufLen=0x280 | out: pbData=0x64e0000*, pdwDataLen=0xbfcfcdc*=0x280) returned 1 [0092.428] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0092.428] CloseHandle (hObject=0x3dc) returned 1 [0092.428] CryptDestroyKey (hKey=0x10804988) returned 1 [0092.428] CryptReleaseContext (hProv=0x5d1140, dwFlags=0x0) returned 1 [0092.428] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.429] WriteFile (in: hFile=0x398, lpBuffer=0xbfcfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbfcfcf0, lpOverlapped=0x0 | out: lpBuffer=0xbfcfbdc*, lpNumberOfBytesWritten=0xbfcfcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.430] WriteFile (in: hFile=0x398, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbfcfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xbfcfcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.430] CloseHandle (hObject=0x398) returned 1 [0092.435] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.435] FindNextFileW (in: hFindFile=0x5c9110, lpFindFileData=0xbfcfd28 | out: lpFindFileData=0xbfcfd28) returned 1 [0092.435] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0092.435] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 75 [0092.436] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" [0092.436] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\how to restore files.hta")) returned 0x1 [0092.436] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcredist_x86.exe") returned -1 [0092.436] lstrlenW (lpString="vcredist_x86.exe") returned 16 [0092.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0092.436] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 75 [0092.436] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0092.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0092.436] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS" [0092.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0092.438] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0092.438] CreateFileMappingA (hFile=0x398, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3dc [0092.438] CryptAcquireContextA (in: phProv=0xbfcfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbfcfce4*=0x5d1140) returned 1 [0092.439] CryptGenKey (in: hProv=0x5d1140, Algid=0x6610, dwFlags=0x1, phKey=0xbfcfce0 | out: phKey=0xbfcfce0*=0x10804988) returned 1 [0092.439] CryptExportKey (in: hKey=0x10804988, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbfcfbdc, pdwDataLen=0xbfcfcdc | out: pbData=0xbfcfbdc*, pdwDataLen=0xbfcfcdc*=0x2c) returned 1 [0092.439] MapViewOfFile (hFileMappingObject=0x3dc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x71080) returned 0x1ce20000 [0092.477] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbfcfbdc*, pdwDataLen=0xbfcfcf0*=0x40, dwBufLen=0x100 | out: pbData=0xbfcfbdc*, pdwDataLen=0xbfcfcf0*=0x100) returned 1 [0092.477] CryptEncrypt (in: hKey=0x10804988, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1ce20000, pdwDataLen=0xbfcfcdc*=0x71080, dwBufLen=0x71080 | out: pbData=0x1ce20000*, pdwDataLen=0xbfcfcdc*=0x71080) returned 1 [0092.485] UnmapViewOfFile (lpBaseAddress=0x1ce20000) returned 1 [0092.490] CloseHandle (hObject=0x3dc) returned 1 [0092.490] CryptDestroyKey (hKey=0x10804988) returned 1 [0092.490] CryptReleaseContext (hProv=0x5d1140, dwFlags=0x0) returned 1 [0092.490] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.490] WriteFile (in: hFile=0x398, lpBuffer=0xbfcfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbfcfcf0, lpOverlapped=0x0 | out: lpBuffer=0xbfcfbdc*, lpNumberOfBytesWritten=0xbfcfcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.491] WriteFile (in: hFile=0x398, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbfcfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xbfcfcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.491] CloseHandle (hObject=0x398) returned 1 [0092.502] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.503] FindNextFileW (in: hFindFile=0x5c9110, lpFindFileData=0xbfcfd28 | out: lpFindFileData=0xbfcfd28) returned 0 [0092.503] FindClose (in: hFindFile=0x5c9110 | out: hFindFile=0x5c9110) returned 1 Thread: id = 180 os_tid = 0xfac [0090.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0xc10fd28 | out: lpFindFileData=0xc10fd28) returned 0x10804ac8 [0092.515] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.516] FindNextFileW (in: hFindFile=0x10804ac8, lpFindFileData=0xc10fd28 | out: lpFindFileData=0xc10fd28) returned 1 [0092.516] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.516] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.516] FindNextFileW (in: hFindFile=0x10804ac8, lpFindFileData=0xc10fd28 | out: lpFindFileData=0xc10fd28) returned 1 [0092.516] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0092.516] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0092.516] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0092.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0092.516] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned 86 [0092.516] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0092.516] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" [0092.516] GlobalMemoryStatus (in: lpBuffer=0xc10fd08 | out: lpBuffer=0xc10fd08) [0092.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89a05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0092.517] CloseHandle (hObject=0x3dc) returned 1 [0092.517] FindNextFileW (in: hFindFile=0x10804ac8, lpFindFileData=0xc10fd28 | out: lpFindFileData=0xc10fd28) returned 0 [0092.517] FindClose (in: hFindFile=0x10804ac8 | out: hFindFile=0x10804ac8) returned 1 Thread: id = 181 os_tid = 0xffc [0090.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\*.*", lpFindFileData=0xc24fd28 | out: lpFindFileData=0xc24fd28) returned 0x10804fc8 [0092.514] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.514] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0xc24fd28 | out: lpFindFileData=0xc24fd28) returned 1 [0092.515] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.515] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.515] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0xc24fd28 | out: lpFindFileData=0xc24fd28) returned 1 [0092.515] lstrcpyW (in: lpString1=0x5a90468, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\*.*" [0092.515] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\*.*") returned 87 [0092.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.515] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.3.193.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingweather_4.3.193.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.347] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xc24fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xc24fcf0, lpOverlapped=0x0) returned 0 [0094.347] CloseHandle (hObject=0xffffffff) returned 1 [0094.347] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 182 os_tid = 0xc10 [0090.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0xc38fd28 | out: lpFindFileData=0xc38fd28) returned 0x5c8550 [0092.801] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.801] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xc38fd28 | out: lpFindFileData=0xc38fd28) returned 1 [0092.801] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.801] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xc38fd28 | out: lpFindFileData=0xc38fd28) returned 1 [0092.802] lstrcpyW (in: lpString1=0x8938400, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\*.*" [0092.802] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\*.*") returned 84 [0092.802] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.802] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.350] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xc38fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xc38fcf0, lpOverlapped=0x0) returned 0 [0094.350] CloseHandle (hObject=0xffffffff) returned 1 [0094.350] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 183 os_tid = 0xff8 [0090.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xc4cfd28 | out: lpFindFileData=0xc4cfd28) returned 0x5c87d0 [0090.974] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.974] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0xc4cfd28 | out: lpFindFileData=0xc4cfd28) returned 1 [0090.974] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.974] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.974] FindNextFileW (in: hFindFile=0x5c87d0, lpFindFileData=0xc4cfd28 | out: lpFindFileData=0xc4cfd28) returned 1 [0091.097] lstrcpyW (in: lpString1=0x5a50388, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\*.*" [0091.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 97 [0091.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0091.098] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.098] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 184 os_tid = 0x724 [0090.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0xc60fd28 | out: lpFindFileData=0xc60fd28) returned 0x10804ac8 [0092.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.554] FindNextFileW (in: hFindFile=0x10804ac8, lpFindFileData=0xc60fd28 | out: lpFindFileData=0xc60fd28) returned 1 [0092.555] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.555] FindNextFileW (in: hFindFile=0x10804ac8, lpFindFileData=0xc60fd28 | out: lpFindFileData=0xc60fd28) returned 1 [0092.555] lstrcpyW (in: lpString1=0x8be0fb8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\*.*" [0092.555] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\*.*") returned 100 [0092.555] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.microsoftofficehub_17.4218.23751.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.microsoftofficehub_17.4218.23751.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.348] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xc60fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xc60fcf0, lpOverlapped=0x0) returned 0 [0094.348] CloseHandle (hObject=0xffffffff) returned 1 [0094.348] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 185 os_tid = 0x720 [0090.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xc74fd28 | out: lpFindFileData=0xc74fd28) returned 0x5c9150 [0090.974] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.975] FindNextFileW (in: hFindFile=0x5c9150, lpFindFileData=0xc74fd28 | out: lpFindFileData=0xc74fd28) returned 1 [0090.975] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.975] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.975] FindNextFileW (in: hFindFile=0x5c9150, lpFindFileData=0xc74fd28 | out: lpFindFileData=0xc74fd28) returned 1 [0091.097] lstrcpyW (in: lpString1=0x3db8250, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\*.*" [0091.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 107 [0091.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0091.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.microsoftofficehub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.097] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.microsoftofficehub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.345] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xc74fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xc74fcf0, lpOverlapped=0x0) returned 0 [0094.345] CloseHandle (hObject=0xffffffff) returned 1 [0094.345] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 186 os_tid = 0x82c [0090.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0xc88fd28 | out: lpFindFileData=0xc88fd28) returned 0x5c8810 [0091.164] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.164] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0xc88fd28 | out: lpFindFileData=0xc88fd28) returned 1 [0091.164] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.164] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.164] FindNextFileW (in: hFindFile=0x5c8810, lpFindFileData=0xc88fd28 | out: lpFindFileData=0xc88fd28) returned 1 [0091.164] lstrcpyW (in: lpString1=0x3f000d8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\*.*" [0091.164] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 110 [0091.164] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0091.164] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.microsoftsolitairecollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.164] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.microsoftsolitairecollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.345] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xc88fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xc88fcf0, lpOverlapped=0x0) returned 0 [0094.345] CloseHandle (hObject=0xffffffff) returned 1 [0094.345] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 187 os_tid = 0x54c [0090.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0xc9cfd28 | out: lpFindFileData=0xc9cfd28) returned 0x5c9090 [0090.953] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.953] FindNextFileW (in: hFindFile=0x5c9090, lpFindFileData=0xc9cfd28 | out: lpFindFileData=0xc9cfd28) returned 1 [0090.953] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0090.953] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.953] FindNextFileW (in: hFindFile=0x5c9090, lpFindFileData=0xc9cfd28 | out: lpFindFileData=0xc9cfd28) returned 1 [0092.557] lstrcpyW (in: lpString1=0x8be8fc0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\*.*" [0092.557] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\*.*") returned 105 [0092.557] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.microsoftsolitairecollection_3.1.6103.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.557] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.microsoftsolitairecollection_3.1.6103.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.348] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xc9cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xc9cfcf0, lpOverlapped=0x0) returned 0 [0094.348] CloseHandle (hObject=0xffffffff) returned 1 [0094.349] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 188 os_tid = 0x84 [0090.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0xcb0fd28 | out: lpFindFileData=0xcb0fd28) returned 0x5c92d0 [0092.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.799] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xcb0fd28 | out: lpFindFileData=0xcb0fd28) returned 1 [0092.799] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.799] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xcb0fd28 | out: lpFindFileData=0xcb0fd28) returned 1 [0092.799] lstrcpyW (in: lpString1=0x89283f0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*" [0092.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*") returned 102 [0092.800] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.800] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.net.native.framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.net.native.framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.349] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xcb0fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xcb0fcf0, lpOverlapped=0x0) returned 0 [0094.349] CloseHandle (hObject=0xffffffff) returned 1 [0094.349] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 189 os_tid = 0x1b4 [0090.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*", lpFindFileData=0xcc4fd28 | out: lpFindFileData=0xcc4fd28) returned 0x5c9390 [0092.800] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.800] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xcc4fd28 | out: lpFindFileData=0xcc4fd28) returned 1 [0092.800] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.800] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.800] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xcc4fd28 | out: lpFindFileData=0xcc4fd28) returned 1 [0092.801] lstrcpyW (in: lpString1=0x89303f8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*" [0092.801] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*") returned 102 [0092.801] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.801] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.net.native.framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.801] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.net.native.framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.350] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xcc4fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xcc4fcf0, lpOverlapped=0x0) returned 0 [0094.350] CloseHandle (hObject=0xffffffff) returned 1 [0094.350] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 190 os_tid = 0x2f0 [0091.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*", lpFindFileData=0xcd8fd28 | out: lpFindFileData=0xcd8fd28) returned 0x5c8c90 [0091.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.204] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0xcd8fd28 | out: lpFindFileData=0xcd8fd28) returned 1 [0091.204] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.204] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.204] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0xcd8fd28 | out: lpFindFileData=0xcd8fd28) returned 1 [0091.204] lstrcmpW (lpString1=".", lpString2="BreadcrumbStore") returned -1 [0091.204] lstrcmpW (lpString1="..", lpString2="BreadcrumbStore") returned -1 [0091.204] lstrcmpiW (lpString1="windows", lpString2="BreadcrumbStore") returned 1 [0091.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*" [0091.204] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*") returned 45 [0091.204] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\", lpString2="BreadcrumbStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" [0091.204] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*" [0091.204] GlobalMemoryStatus (in: lpBuffer=0xcd8fd08 | out: lpBuffer=0xcd8fd08) [0091.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ac8590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x324 [0093.227] CloseHandle (hObject=0x324) returned 1 [0093.227] FindNextFileW (in: hFindFile=0x5c8c90, lpFindFileData=0xcd8fd28 | out: lpFindFileData=0xcd8fd28) returned 0 [0093.227] FindClose (in: hFindFile=0x5c8c90 | out: hFindFile=0x5c8c90) returned 1 Thread: id = 191 os_tid = 0x2e0 [0091.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*", lpFindFileData=0xcecfd28 | out: lpFindFileData=0xcecfd28) returned 0x5c8550 [0091.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.206] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xcecfd28 | out: lpFindFileData=0xcecfd28) returned 1 [0091.206] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.206] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.206] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xcecfd28 | out: lpFindFileData=0xcecfd28) returned 0 [0091.206] FindClose (in: hFindFile=0x5c8550 | out: hFindFile=0x5c8550) returned 1 Thread: id = 192 os_tid = 0x53c [0091.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\*.*", lpFindFileData=0xd00fd28 | out: lpFindFileData=0xd00fd28) returned 0x5c8550 [0091.207] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.207] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd00fd28 | out: lpFindFileData=0xd00fd28) returned 1 [0091.207] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.207] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd00fd28 | out: lpFindFileData=0xd00fd28) returned 0 [0091.207] FindClose (in: hFindFile=0x5c8550 | out: hFindFile=0x5c8550) returned 1 Thread: id = 193 os_tid = 0x7a4 [0091.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\*.*", lpFindFileData=0xd14fd28 | out: lpFindFileData=0xd14fd28) returned 0x5c8550 [0091.208] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.208] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd14fd28 | out: lpFindFileData=0xd14fd28) returned 1 [0091.208] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.209] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd14fd28 | out: lpFindFileData=0xd14fd28) returned 1 [0091.209] lstrcmpW (lpString1=".", lpString2="Chrome") returned -1 [0091.209] lstrcmpW (lpString1="..", lpString2="Chrome") returned -1 [0091.209] lstrcmpiW (lpString1="windows", lpString2="Chrome") returned 1 [0091.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" [0091.209] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned 37 [0091.209] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\", lpString2="Chrome" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome" [0091.209] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*" [0091.209] GlobalMemoryStatus (in: lpBuffer=0xd14fd08 | out: lpBuffer=0xd14fd08) [0091.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ca12f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3b8 [0091.210] CloseHandle (hObject=0x3b8) returned 1 [0091.210] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd14fd28 | out: lpFindFileData=0xd14fd28) returned 1 [0091.210] lstrcmpW (lpString1=".", lpString2="CrashReports") returned -1 [0091.210] lstrcmpW (lpString1="..", lpString2="CrashReports") returned -1 [0091.210] lstrcmpiW (lpString1="windows", lpString2="CrashReports") returned 1 [0091.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" [0091.210] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned 37 [0091.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\", lpString2="CrashReports" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports") returned="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports" [0091.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports\\*.*" [0091.210] GlobalMemoryStatus (in: lpBuffer=0xd14fd08 | out: lpBuffer=0xd14fd08) [0091.210] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cb9360, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3b8 [0091.211] CloseHandle (hObject=0x3b8) returned 1 [0091.211] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd14fd28 | out: lpFindFileData=0xd14fd28) returned 0 [0091.211] FindClose (in: hFindFile=0x5c8550 | out: hFindFile=0x5c8550) returned 1 Thread: id = 194 os_tid = 0x998 [0091.212] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*", lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 0x5c8550 [0091.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.212] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.212] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.212] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.212] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0091.212] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0091.212] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0091.212] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.212] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.212] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US" [0091.213] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0091.213] GlobalMemoryStatus (in: lpBuffer=0xd28fd08 | out: lpBuffer=0xd28fd08) [0091.213] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5af8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3b8 [0091.213] CloseHandle (hObject=0x3b8) returned 1 [0091.213] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.213] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.213] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.213] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.213] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0xffffffff [0091.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0091.214] WriteFile (in: hFile=0x3b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xd28fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd28fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.215] CloseHandle (hObject=0x3b8) returned 1 [0091.215] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.215] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ExtExport.exe") returned 1 [0091.215] lstrlenW (lpString="ExtExport.exe") returned 13 [0091.216] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.216] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.216] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ExtExport.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" [0091.216] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" [0091.216] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe id-Br3n0G72wUb8CejT.LyaS" [0091.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" (normalized: "c:\\program files (x86)\\internet explorer\\extexport.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\extexport.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.254] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.254] lstrcpyW (in: lpString1=0x107c0940, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.254] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.254] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0x1 [0091.254] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hmmapi.dll") returned 1 [0091.254] lstrlenW (lpString="hmmapi.dll") returned 10 [0091.254] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.254] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="hmmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" [0091.254] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" [0091.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll id-Br3n0G72wUb8CejT.LyaS" [0091.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files (x86)\\internet explorer\\hmmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\hmmapi.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.255] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.255] lstrcpyW (in: lpString1=0x107c0940, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.255] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.255] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.255] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0x1 [0091.255] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ie9props.propdesc") returned -1 [0091.255] lstrlenW (lpString="ie9props.propdesc") returned 17 [0091.255] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.255] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.255] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ie9props.propdesc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc" [0091.255] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc" [0091.255] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc id-Br3n0G72wUb8CejT.LyaS" [0091.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc" (normalized: "c:\\program files (x86)\\internet explorer\\ie9props.propdesc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie9props.propdesc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\ie9props.propdesc id-br3n0g72wub8cejt.lyas")) returned 0 [0091.292] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.292] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.292] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0x1 [0091.292] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ieinstal.exe") returned -1 [0091.292] lstrlenW (lpString="ieinstal.exe") returned 12 [0091.292] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.292] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ieinstal.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" [0091.292] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" [0091.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe id-Br3n0G72wUb8CejT.LyaS" [0091.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files (x86)\\internet explorer\\ieinstal.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\ieinstal.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.382] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.382] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.382] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.382] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0x1 [0091.382] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ielowutil.exe") returned -1 [0091.383] lstrlenW (lpString="ielowutil.exe") returned 13 [0091.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.383] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ielowutil.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" [0091.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" [0091.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe id-Br3n0G72wUb8CejT.LyaS" [0091.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files (x86)\\internet explorer\\ielowutil.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\ielowutil.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.461] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.462] lstrcpyW (in: lpString1=0x3e08390, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.463] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0x1 [0091.463] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="IEShims.dll") returned -1 [0091.463] lstrlenW (lpString="IEShims.dll") returned 11 [0091.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.463] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="IEShims.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" [0091.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" [0091.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll id-Br3n0G72wUb8CejT.LyaS" [0091.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files (x86)\\internet explorer\\ieshims.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\ieshims.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.731] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.731] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.731] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.731] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0x1 [0091.731] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="iexplore.exe") returned -1 [0091.731] lstrlenW (lpString="iexplore.exe") returned 12 [0091.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.731] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="iexplore.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" [0091.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" [0091.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe id-Br3n0G72wUb8CejT.LyaS" [0091.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.732] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.732] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0091.732] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0091.732] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0091.732] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.732] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.732] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\images") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\images" [0091.732] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\images\\*.*" [0091.732] GlobalMemoryStatus (in: lpBuffer=0xd28fd08 | out: lpBuffer=0xd28fd08) [0091.732] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8de17e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0091.733] CloseHandle (hObject=0x3d4) returned 1 [0091.733] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.733] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.733] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.733] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0x1 [0091.733] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="reveal_medicare_ebay.exe") returned -1 [0091.733] lstrlenW (lpString="reveal_medicare_ebay.exe") returned 24 [0091.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.733] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="reveal_medicare_ebay.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe" [0091.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe" [0091.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe id-Br3n0G72wUb8CejT.LyaS" [0091.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe" (normalized: "c:\\program files (x86)\\internet explorer\\reveal_medicare_ebay.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\reveal_medicare_ebay.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.734] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\reveal_medicare_ebay.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0091.734] CreateFileMappingA (hFile=0x3d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x44c [0091.735] CryptAcquireContextA (in: phProv=0xd28fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd28fce4*=0x5d13e8) returned 1 [0091.735] CryptGenKey (in: hProv=0x5d13e8, Algid=0x6610, dwFlags=0x1, phKey=0xd28fce0 | out: phKey=0xd28fce0*=0x108054c8) returned 1 [0091.735] CryptExportKey (in: hKey=0x108054c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd28fbdc, pdwDataLen=0xd28fcdc | out: pbData=0xd28fbdc*, pdwDataLen=0xd28fcdc*=0x2c) returned 1 [0091.735] MapViewOfFile (hFileMappingObject=0x44c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x10550000 [0091.737] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd28fbdc*, pdwDataLen=0xd28fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xd28fbdc*, pdwDataLen=0xd28fcf0*=0x100) returned 1 [0091.738] CryptEncrypt (in: hKey=0x108054c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x10550000, pdwDataLen=0xd28fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x10550000*, pdwDataLen=0xd28fcdc*=0x12600) returned 1 [0091.738] UnmapViewOfFile (lpBaseAddress=0x10550000) returned 1 [0091.739] CloseHandle (hObject=0x44c) returned 1 [0091.739] CryptDestroyKey (hKey=0x108054c8) returned 1 [0091.739] CryptReleaseContext (hProv=0x5d13e8, dwFlags=0x0) returned 1 [0091.739] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.739] WriteFile (in: hFile=0x3d4, lpBuffer=0xd28fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd28fcf0, lpOverlapped=0x0 | out: lpBuffer=0xd28fbdc*, lpNumberOfBytesWritten=0xd28fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.740] WriteFile (in: hFile=0x3d4, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd28fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xd28fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.740] CloseHandle (hObject=0x3d4) returned 1 [0091.742] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\reveal_medicare_ebay.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.743] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.743] lstrcmpW (lpString1=".", lpString2="SIGNUP") returned -1 [0091.743] lstrcmpW (lpString1="..", lpString2="SIGNUP") returned -1 [0091.743] lstrcmpiW (lpString1="windows", lpString2="SIGNUP") returned 1 [0091.743] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.743] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="SIGNUP" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP" [0091.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*" [0091.743] GlobalMemoryStatus (in: lpBuffer=0xd28fd08 | out: lpBuffer=0xd28fd08) [0091.743] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10650388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0091.744] CloseHandle (hObject=0x3d4) returned 1 [0091.744] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0091.744] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.744] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.744] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" [0091.744] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\how to restore files.hta")) returned 0x1 [0091.744] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqmapi.dll") returned -1 [0091.744] lstrlenW (lpString="sqmapi.dll") returned 10 [0091.745] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0091.745] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0091.745] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" [0091.745] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" [0091.745] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" [0091.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files (x86)\\internet explorer\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\internet explorer\\sqmapi.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.745] FindNextFileW (in: hFindFile=0x5c8550, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 0 [0091.745] FindClose (in: hFindFile=0x5c8550 | out: hFindFile=0x5c8550) returned 1 Thread: id = 195 os_tid = 0xc34 [0091.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*", lpFindFileData=0xd3cfd28 | out: lpFindFileData=0xd3cfd28) returned 0x5c85d0 [0091.219] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.219] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd3cfd28 | out: lpFindFileData=0xd3cfd28) returned 1 [0091.219] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.219] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.219] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd3cfd28 | out: lpFindFileData=0xd3cfd28) returned 1 [0091.219] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" [0091.219] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned 44 [0091.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\How To Restore Files.hta" [0091.219] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\how to restore files.hta")) returned 0xffffffff [0091.219] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3bc [0091.220] WriteFile (in: hFile=0x3bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xd3cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd3cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.221] CloseHandle (hObject=0x3bc) returned 1 [0091.221] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.221] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="flavor.exe") returned 1 [0091.221] lstrlenW (lpString="flavor.exe") returned 10 [0091.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" [0091.221] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned 44 [0091.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\", lpString2="flavor.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe" [0091.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe" [0091.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe id-Br3n0G72wUb8CejT.LyaS" [0091.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe" (normalized: "c:\\program files (x86)\\microsoft.net\\flavor.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\microsoft.net\\flavor.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\microsoft.net\\flavor.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3bc [0091.222] CreateFileMappingA (hFile=0x3bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c0 [0091.223] CryptAcquireContextA (in: phProv=0xd3cfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd3cfce4*=0x5d18b0) returned 1 [0091.223] CryptGenKey (in: hProv=0x5d18b0, Algid=0x6610, dwFlags=0x1, phKey=0xd3cfce0 | out: phKey=0xd3cfce0*=0x5c91d0) returned 1 [0091.223] CryptExportKey (in: hKey=0x5c91d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd3cfbdc, pdwDataLen=0xd3cfcdc | out: pbData=0xd3cfbdc*, pdwDataLen=0xd3cfcdc*=0x2c) returned 1 [0091.223] MapViewOfFile (hFileMappingObject=0x3c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x3a40000 [0091.227] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd3cfbdc*, pdwDataLen=0xd3cfcf0*=0x40, dwBufLen=0x100 | out: pbData=0xd3cfbdc*, pdwDataLen=0xd3cfcf0*=0x100) returned 1 [0091.227] CryptEncrypt (in: hKey=0x5c91d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a40000, pdwDataLen=0xd3cfcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x3a40000*, pdwDataLen=0xd3cfcdc*=0x12600) returned 1 [0091.228] UnmapViewOfFile (lpBaseAddress=0x3a40000) returned 1 [0091.229] CloseHandle (hObject=0x3c0) returned 1 [0091.229] CryptDestroyKey (hKey=0x5c91d0) returned 1 [0091.229] CryptReleaseContext (hProv=0x5d18b0, dwFlags=0x0) returned 1 [0091.229] SetFilePointerEx (in: hFile=0x3bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.229] WriteFile (in: hFile=0x3bc, lpBuffer=0xd3cfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd3cfcf0, lpOverlapped=0x0 | out: lpBuffer=0xd3cfbdc*, lpNumberOfBytesWritten=0xd3cfcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.230] WriteFile (in: hFile=0x3bc, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd3cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xd3cfcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.230] CloseHandle (hObject=0x3bc) returned 1 [0091.232] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\flavor.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.232] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd3cfd28 | out: lpFindFileData=0xd3cfd28) returned 1 [0091.232] lstrcmpW (lpString1=".", lpString2="Primary Interop Assemblies") returned -1 [0091.232] lstrcmpW (lpString1="..", lpString2="Primary Interop Assemblies") returned -1 [0091.232] lstrcmpiW (lpString1="windows", lpString2="Primary Interop Assemblies") returned 1 [0091.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" [0091.236] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned 44 [0091.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\", lpString2="Primary Interop Assemblies" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies" [0091.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0091.236] GlobalMemoryStatus (in: lpBuffer=0xd3cfd08 | out: lpBuffer=0xd3cfd08) [0091.236] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11166ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0091.237] CloseHandle (hObject=0x3bc) returned 1 [0091.237] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd3cfd28 | out: lpFindFileData=0xd3cfd28) returned 1 [0091.237] lstrcmpW (lpString1=".", lpString2="RedistList") returned -1 [0091.237] lstrcmpW (lpString1="..", lpString2="RedistList") returned -1 [0091.237] lstrcmpiW (lpString1="windows", lpString2="RedistList") returned 1 [0091.240] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" [0091.240] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned 44 [0091.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\", lpString2="RedistList" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList" [0091.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" [0091.240] GlobalMemoryStatus (in: lpBuffer=0xd3cfd08 | out: lpBuffer=0xd3cfd08) [0091.240] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1117ef50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0091.241] CloseHandle (hObject=0x3bc) returned 1 [0091.241] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd3cfd28 | out: lpFindFileData=0xd3cfd28) returned 0 [0091.241] FindClose (in: hFindFile=0x5c85d0 | out: hFindFile=0x5c85d0) returned 1 Thread: id = 196 os_tid = 0x62c [0091.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*", lpFindFileData=0xd50fd28 | out: lpFindFileData=0xd50fd28) returned 0x5c9210 [0091.264] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.264] FindNextFileW (in: hFindFile=0x5c9210, lpFindFileData=0xd50fd28 | out: lpFindFileData=0xd50fd28) returned 1 [0091.753] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.753] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.753] FindNextFileW (in: hFindFile=0x5c9210, lpFindFileData=0xd50fd28 | out: lpFindFileData=0xd50fd28) returned 1 [0091.753] lstrcpyW (in: lpString1=0x3df0328, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0091.753] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0091.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\How To Restore Files.hta" [0091.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\how to restore files.hta")) returned 0xffffffff [0091.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.889] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xd50fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd50fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.890] CloseHandle (hObject=0x4b4) returned 1 [0094.890] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0096.994] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Accessible.tlb") returned 1 [0096.994] lstrlenW (lpString="Accessible.tlb") returned 14 [0096.994] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0096.994] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0096.995] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="Accessible.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb" [0096.995] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb" [0096.995] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb id-Br3n0G72wUb8CejT.LyaS" [0096.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessible.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessible.tlb id-br3n0g72wub8cejt.lyas")) returned 1 [0101.520] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessible.tlb id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0101.520] CreateFileMappingA (hFile=0x3d0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x36c [0101.520] CryptAcquireContextA (in: phProv=0xd50fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd50fce4*=0x1083cb08) returned 1 [0101.521] CryptGenKey (in: hProv=0x1083cb08, Algid=0x6610, dwFlags=0x1, phKey=0xd50fce0 | out: phKey=0xd50fce0*=0x5c8cd0) returned 1 [0101.521] CryptExportKey (in: hKey=0x5c8cd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd50fbdc, pdwDataLen=0xd50fcdc | out: pbData=0xd50fbdc*, pdwDataLen=0xd50fcdc*=0x2c) returned 1 [0101.521] MapViewOfFile (hFileMappingObject=0x36c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbc0) returned 0x4de0000 [0101.548] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd50fbdc*, pdwDataLen=0xd50fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xd50fbdc*, pdwDataLen=0xd50fcf0*=0x100) returned 1 [0101.549] CryptEncrypt (in: hKey=0x5c8cd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4de0000*, pdwDataLen=0xd50fcdc*=0xbc0, dwBufLen=0xbc0 | out: pbData=0x4de0000*, pdwDataLen=0xd50fcdc*=0xbc0) returned 1 [0101.549] UnmapViewOfFile (lpBaseAddress=0x4de0000) returned 1 [0101.549] CloseHandle (hObject=0x36c) returned 1 [0101.549] CryptDestroyKey (hKey=0x5c8cd0) returned 1 [0101.549] CryptReleaseContext (hProv=0x1083cb08, dwFlags=0x0) returned 1 [0101.549] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.549] WriteFile (in: hFile=0x3d0, lpBuffer=0xd50fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd50fcf0, lpOverlapped=0x0 | out: lpBuffer=0xd50fbdc*, lpNumberOfBytesWritten=0xd50fcf0*=0x100, lpOverlapped=0x0) returned 1 [0101.550] WriteFile (in: hFile=0x3d0, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd50fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xd50fcf0*=0x500, lpOverlapped=0x0) returned 1 [0101.551] CloseHandle (hObject=0x3d0) returned 1 [0101.561] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Accessible.tlb id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0101.562] FindNextFileW (in: hFindFile=0x5c9210, lpFindFileData=0xd50fd28 | out: lpFindFileData=0xd50fd28) returned 1 [0101.562] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0101.562] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0101.562] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\How To Restore Files.hta" [0101.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\how to restore files.hta")) returned 0x1 [0101.562] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AccessibleMarshal.dll") returned 1 [0101.562] lstrlenW (lpString="AccessibleMarshal.dll") returned 21 [0101.562] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0101.562] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0101.562] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="AccessibleMarshal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" [0101.562] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" [0101.562] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll id-Br3n0G72wUb8CejT.LyaS" [0101.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll id-br3n0g72wub8cejt.lyas")) returned 1 [0101.564] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0101.565] CreateFileMappingA (hFile=0x3d0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x36c [0101.565] CryptAcquireContextA (in: phProv=0xd50fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd50fce4*=0x1083cfd0) returned 1 [0101.566] CryptGenKey (in: hProv=0x1083cfd0, Algid=0x6610, dwFlags=0x1, phKey=0xd50fce0 | out: phKey=0xd50fce0*=0x210bc8d8) returned 1 [0101.566] CryptExportKey (in: hKey=0x210bc8d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd50fbdc, pdwDataLen=0xd50fcdc | out: pbData=0xd50fbdc*, pdwDataLen=0xd50fcdc*=0x2c) returned 1 [0101.566] MapViewOfFile (hFileMappingObject=0x36c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x69c0) Thread: id = 197 os_tid = 0x630 [0091.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*", lpFindFileData=0xd64fd28 | out: lpFindFileData=0xd64fd28) returned 0x5c85d0 [0091.245] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.245] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd64fd28 | out: lpFindFileData=0xd64fd28) returned 1 [0091.245] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.245] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.245] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd64fd28 | out: lpFindFileData=0xd64fd28) returned 1 [0091.245] lstrcmpW (lpString1=".", lpString2="logs") returned -1 [0091.245] lstrcmpW (lpString1="..", lpString2="logs") returned -1 [0091.245] lstrcmpiW (lpString1="windows", lpString2="logs") returned 1 [0091.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0091.246] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0091.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="logs" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs" [0091.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\*.*" [0091.246] GlobalMemoryStatus (in: lpBuffer=0xd64fd08 | out: lpBuffer=0xd64fd08) [0091.246] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cf13d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c0 [0091.246] CloseHandle (hObject=0x3c0) returned 1 [0091.246] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd64fd28 | out: lpFindFileData=0xd64fd28) returned 1 [0091.247] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0091.247] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0091.247] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\How To Restore Files.hta" [0091.247] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\how to restore files.hta")) returned 0xffffffff [0091.247] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0091.276] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xd64fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd64fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.277] CloseHandle (hObject=0x354) returned 1 [0091.277] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.277] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="maintenanceservice.exe") returned -1 [0091.277] lstrlenW (lpString="maintenanceservice.exe") returned 22 [0091.277] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0091.277] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0091.277] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="maintenanceservice.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" [0091.277] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" [0091.277] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe id-Br3n0G72wUb8CejT.LyaS" [0091.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0091.278] CreateFileMappingA (hFile=0x354, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3cc [0091.279] CryptAcquireContextA (in: phProv=0xd64fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd64fce4*=0x5d0e10) returned 1 [0091.279] CryptGenKey (in: hProv=0x5d0e10, Algid=0x6610, dwFlags=0x1, phKey=0xd64fce0 | out: phKey=0xd64fce0*=0x5c8e50) returned 1 [0091.279] CryptExportKey (in: hKey=0x5c8e50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd64fbdc, pdwDataLen=0xd64fcdc | out: pbData=0xd64fbdc*, pdwDataLen=0xd64fcdc*=0x2c) returned 1 [0091.279] MapViewOfFile (hFileMappingObject=0x3cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2a5c0) returned 0x4dc0000 [0093.230] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd64fbdc*, pdwDataLen=0xd64fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xd64fbdc*, pdwDataLen=0xd64fcf0*=0x100) returned 1 [0093.230] CryptEncrypt (in: hKey=0x5c8e50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000, pdwDataLen=0xd64fcdc*=0x2a5c0, dwBufLen=0x2a5c0 | out: pbData=0x4dc0000*, pdwDataLen=0xd64fcdc*=0x2a5c0) returned 1 [0094.208] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0094.210] CloseHandle (hObject=0x3cc) returned 1 [0094.210] CryptDestroyKey (hKey=0x5c8e50) returned 1 [0094.210] CryptReleaseContext (hProv=0x5d0e10, dwFlags=0x0) returned 1 [0094.210] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.210] WriteFile (in: hFile=0x354, lpBuffer=0xd64fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd64fcf0, lpOverlapped=0x0 | out: lpBuffer=0xd64fbdc*, lpNumberOfBytesWritten=0xd64fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.561] WriteFile (in: hFile=0x354, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd64fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xd64fcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.561] CloseHandle (hObject=0x354) returned 1 [0094.568] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.569] FindNextFileW (in: hFindFile=0x5c85d0, lpFindFileData=0xd64fd28 | out: lpFindFileData=0xd64fd28) returned 1 [0094.928] lstrcpyW (in: lpString1=0x89b8660, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0094.928] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0094.928] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\How To Restore Files.hta" [0094.928] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\how to restore files.hta")) returned 0x1 [0097.233] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Uninstall.exe") returned -1 [0097.233] lstrlenW (lpString="Uninstall.exe") returned 13 [0097.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0097.233] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0097.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="Uninstall.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" [0097.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" [0097.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe id-Br3n0G72wUb8CejT.LyaS" [0097.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\uninstall.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\uninstall.exe id-br3n0g72wub8cejt.lyas")) Thread: id = 198 os_tid = 0x568 [0091.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*", lpFindFileData=0xd78fd28 | out: lpFindFileData=0xd78fd28) returned 0x5c91d0 [0091.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.248] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xd78fd28 | out: lpFindFileData=0xd78fd28) returned 1 [0091.248] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.248] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xd78fd28 | out: lpFindFileData=0xd78fd28) returned 1 [0091.248] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0091.248] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0091.248] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0091.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" [0091.252] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned 38 [0091.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft" [0091.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*" [0091.252] GlobalMemoryStatus (in: lpBuffer=0xd78fd08 | out: lpBuffer=0xd78fd08) [0091.252] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11196fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c4 [0091.253] CloseHandle (hObject=0x3c4) returned 1 [0091.253] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xd78fd28 | out: lpFindFileData=0xd78fd28) returned 0 [0091.253] FindClose (in: hFindFile=0x5c91d0 | out: hFindFile=0x5c91d0) returned 1 Thread: id = 199 os_tid = 0x6cc [0091.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*", lpFindFileData=0xd8cfd28 | out: lpFindFileData=0xd8cfd28) returned 0x5c91d0 [0091.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.256] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xd8cfd28 | out: lpFindFileData=0xd8cfd28) returned 1 [0091.256] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.257] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.257] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xd8cfd28 | out: lpFindFileData=0xd8cfd28) returned 1 [0091.257] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0091.257] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0091.257] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0091.257] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" [0091.257] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned 51 [0091.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft" [0091.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*" [0091.257] GlobalMemoryStatus (in: lpBuffer=0xd8cfd08 | out: lpBuffer=0xd8cfd08) [0091.257] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d39508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c4 [0091.258] CloseHandle (hObject=0x3c4) returned 1 [0091.258] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xd8cfd28 | out: lpFindFileData=0xd8cfd28) returned 0 [0091.258] FindClose (in: hFindFile=0x5c91d0 | out: hFindFile=0x5c91d0) returned 1 Thread: id = 200 os_tid = 0x6e8 [0091.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*", lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 0x5c91d0 [0091.259] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.259] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 1 [0091.259] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.259] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.259] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 1 [0091.260] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0091.260] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0091.260] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0091.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.260] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US" [0091.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" [0091.260] GlobalMemoryStatus (in: lpBuffer=0xda0fd08 | out: lpBuffer=0xda0fd08) [0091.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d51570, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c4 [0091.260] CloseHandle (hObject=0x3c4) returned 1 [0091.261] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 1 [0091.261] lstrcpyW (in: lpString1=0x107c0940, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.261] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.261] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" [0091.261] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta")) returned 0xffffffff [0091.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0091.261] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0) returned 0 [0091.261] CloseHandle (hObject=0xffffffff) returned 1 [0091.261] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0091.261] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="EppManifest.dll") returned 1 [0091.261] lstrlenW (lpString="EppManifest.dll") returned 15 [0091.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.262] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="EppManifest.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll" [0091.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll" [0091.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll id-Br3n0G72wUb8CejT.LyaS" [0091.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll" (normalized: "c:\\program files (x86)\\windows defender\\eppmanifest.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\EppManifest.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows defender\\eppmanifest.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.313] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 1 [0091.313] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.313] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" [0091.313] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta")) returned 0xffffffff [0091.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0091.314] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0) returned 0 [0091.314] CloseHandle (hObject=0xffffffff) returned 1 [0091.314] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0091.314] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpAsDesc.dll") returned -1 [0091.314] lstrlenW (lpString="MpAsDesc.dll") returned 12 [0091.314] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.314] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="MpAsDesc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" [0091.314] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" [0091.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll id-Br3n0G72wUb8CejT.LyaS" [0091.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpasdesc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows defender\\mpasdesc.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.315] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 1 [0091.315] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.315] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.315] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" [0091.315] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta")) returned 0xffffffff [0091.315] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0091.315] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0) returned 0 [0091.315] CloseHandle (hObject=0xffffffff) returned 1 [0091.315] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0091.315] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpClient.dll") returned -1 [0091.315] lstrlenW (lpString="MpClient.dll") returned 12 [0091.316] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.316] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.316] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="MpClient.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" [0091.316] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" [0091.316] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll id-Br3n0G72wUb8CejT.LyaS" [0091.316] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpclient.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows defender\\mpclient.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.389] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 1 [0091.389] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.389] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.389] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" [0091.389] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta")) returned 0xffffffff [0091.389] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0091.390] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0) returned 0 [0091.390] CloseHandle (hObject=0xffffffff) returned 1 [0091.390] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0091.390] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpOAV.dll") returned -1 [0091.390] lstrlenW (lpString="MpOAV.dll") returned 9 [0091.390] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.390] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.390] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="MpOAV.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" [0091.390] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" [0091.390] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll id-Br3n0G72wUb8CejT.LyaS" [0091.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpoav.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows defender\\mpoav.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.564] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 1 [0091.564] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.564] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.564] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" [0091.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta")) returned 0xffffffff [0091.565] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0091.565] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0) returned 0 [0091.565] CloseHandle (hObject=0xffffffff) returned 1 [0091.565] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0091.565] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MsMpLics.dll") returned -1 [0091.565] lstrlenW (lpString="MsMpLics.dll") returned 12 [0091.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.565] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="MsMpLics.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" [0091.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" [0091.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll id-Br3n0G72wUb8CejT.LyaS" [0091.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files (x86)\\windows defender\\msmplics.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows defender\\msmplics.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.566] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 1 [0091.566] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.566] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.566] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" [0091.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta")) returned 0xffffffff [0091.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0091.566] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xda0fcf0, lpOverlapped=0x0) returned 0 [0091.566] CloseHandle (hObject=0xffffffff) returned 1 [0091.566] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0091.567] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="shellext.dll") returned -1 [0091.567] lstrlenW (lpString="shellext.dll") returned 12 [0091.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0091.567] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0091.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="shellext.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll" [0091.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll" [0091.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll id-Br3n0G72wUb8CejT.LyaS" [0091.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll" (normalized: "c:\\program files (x86)\\windows defender\\shellext.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\shellext.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows defender\\shellext.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.570] FindNextFileW (in: hFindFile=0x5c91d0, lpFindFileData=0xda0fd28 | out: lpFindFileData=0xda0fd28) returned 0 [0091.570] FindClose (in: hFindFile=0x5c91d0 | out: hFindFile=0x5c91d0) returned 1 Thread: id = 201 os_tid = 0x71c [0091.262] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*", lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 0x5c9350 [0091.322] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.322] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0091.322] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.322] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.322] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0091.322] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0091.322] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0091.322] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0091.322] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.322] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.322] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US" [0091.322] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" [0091.322] GlobalMemoryStatus (in: lpBuffer=0xdb4fd08 | out: lpBuffer=0xdb4fd08) [0091.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e29918, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0091.323] CloseHandle (hObject=0x3dc) returned 1 [0091.323] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0091.323] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.324] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" [0091.324] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\how to restore files.hta")) returned 0xffffffff [0091.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ec [0091.392] WriteFile (in: hFile=0x3ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xdb4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xdb4fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.393] CloseHandle (hObject=0x3ec) returned 1 [0091.393] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.394] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msoe.dll") returned -1 [0091.394] lstrlenW (lpString="msoe.dll") returned 8 [0091.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.394] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.394] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="msoe.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" [0091.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" [0091.394] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll id-Br3n0G72wUb8CejT.LyaS" [0091.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" (normalized: "c:\\program files (x86)\\windows mail\\msoe.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows mail\\msoe.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.598] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0091.598] lstrcpyW (in: lpString1=0x3e08390, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.598] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" [0091.598] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\how to restore files.hta")) returned 0x1 [0091.598] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MSOERES.dll") returned -1 [0091.598] lstrlenW (lpString="MSOERES.dll") returned 11 [0091.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.598] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="MSOERES.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" [0091.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" [0091.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll id-Br3n0G72wUb8CejT.LyaS" [0091.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" (normalized: "c:\\program files (x86)\\windows mail\\msoeres.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows mail\\msoeres.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.599] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0091.599] lstrcpyW (in: lpString1=0x3e08390, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.599] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" [0091.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\how to restore files.hta")) returned 0x1 [0091.599] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="oeimport.dll") returned -1 [0091.599] lstrlenW (lpString="oeimport.dll") returned 12 [0091.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.599] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="oeimport.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" [0091.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" [0091.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll id-Br3n0G72wUb8CejT.LyaS" [0091.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" (normalized: "c:\\program files (x86)\\windows mail\\oeimport.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows mail\\oeimport.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.784] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0091.784] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.784] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.784] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" [0091.784] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\how to restore files.hta")) returned 0x1 [0091.784] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wab.exe") returned -1 [0091.784] lstrlenW (lpString="wab.exe") returned 7 [0091.784] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0091.784] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0091.784] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="wab.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" [0091.784] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" [0091.784] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe id-Br3n0G72wUb8CejT.LyaS" [0091.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" (normalized: "c:\\program files (x86)\\windows mail\\wab.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows mail\\wab.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0093.274] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0094.129] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0094.129] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0094.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" [0094.129] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\how to restore files.hta")) returned 0x1 [0094.129] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wabimp.dll") returned -1 [0094.130] lstrlenW (lpString="wabimp.dll") returned 10 [0094.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0094.130] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0094.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="wabimp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" [0094.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" [0094.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll id-Br3n0G72wUb8CejT.LyaS" [0094.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" (normalized: "c:\\program files (x86)\\windows mail\\wabimp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows mail\\wabimp.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.130] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0094.130] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0094.130] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0094.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" [0094.131] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\how to restore files.hta")) returned 0x1 [0094.131] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wabmig.exe") returned -1 [0094.131] lstrlenW (lpString="wabmig.exe") returned 10 [0094.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0094.131] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0094.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="wabmig.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" [0094.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" [0094.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe id-Br3n0G72wUb8CejT.LyaS" [0094.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" (normalized: "c:\\program files (x86)\\windows mail\\wabmig.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows mail\\wabmig.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0094.131] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 1 [0094.131] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0094.131] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0094.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" [0094.131] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\how to restore files.hta")) returned 0x1 [0094.132] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WinMail.exe") returned -1 [0094.132] lstrlenW (lpString="WinMail.exe") returned 11 [0094.132] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0094.132] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0094.132] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="WinMail.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" [0094.132] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" [0094.132] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe id-Br3n0G72wUb8CejT.LyaS" [0094.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" (normalized: "c:\\program files (x86)\\windows mail\\winmail.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows mail\\winmail.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0094.132] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xdb4fd28 | out: lpFindFileData=0xdb4fd28) returned 0 [0094.132] FindClose (in: hFindFile=0x5c9350 | out: hFindFile=0x5c9350) returned 1 Thread: id = 202 os_tid = 0x714 [0091.264] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*", lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 0x5c9250 [0091.264] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.264] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0091.264] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.265] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.265] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0091.265] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0091.265] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0091.265] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0091.268] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.268] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.268] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US" [0091.268] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0091.268] GlobalMemoryStatus (in: lpBuffer=0xdc8fd08 | out: lpBuffer=0xdc8fd08) [0091.268] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x111af020, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3cc [0091.269] CloseHandle (hObject=0x3cc) returned 1 [0091.269] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0091.269] lstrcmpW (lpString1=".", lpString2="Icons") returned -1 [0091.269] lstrcmpW (lpString1="..", lpString2="Icons") returned -1 [0091.269] lstrcmpiW (lpString1="windows", lpString2="Icons") returned 1 [0091.272] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.272] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.272] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Icons" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons" [0091.272] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons\\*.*" [0091.272] GlobalMemoryStatus (in: lpBuffer=0xdc8fd08 | out: lpBuffer=0xdc8fd08) [0091.272] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x111c7088, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3cc [0091.273] CloseHandle (hObject=0x3cc) returned 1 [0091.273] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0091.273] lstrcpyW (in: lpString1=0x107c0940, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.273] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0091.273] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0xffffffff [0091.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3dc [0091.335] WriteFile (in: hFile=0x3dc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xdc8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xdc8fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.336] CloseHandle (hObject=0x3dc) returned 1 [0091.336] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.337] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="kg_tools_them.exe") returned -1 [0091.337] lstrlenW (lpString="kg_tools_them.exe") returned 17 [0091.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.337] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="kg_tools_them.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe" [0091.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe" [0091.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe id-Br3n0G72wUb8CejT.LyaS" [0091.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe" (normalized: "c:\\program files (x86)\\windows media player\\kg_tools_them.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\kg_tools_them.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\kg_tools_them.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3dc [0091.338] CreateFileMappingA (hFile=0x3dc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3e0 [0091.338] CryptAcquireContextA (in: phProv=0xdc8fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdc8fce4*=0x5d18b0) returned 1 [0091.339] CryptGenKey (in: hProv=0x5d18b0, Algid=0x6610, dwFlags=0x1, phKey=0xdc8fce0 | out: phKey=0xdc8fce0*=0x5c9390) returned 1 [0091.339] CryptExportKey (in: hKey=0x5c9390, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdc8fbdc, pdwDataLen=0xdc8fcdc | out: pbData=0xdc8fbdc*, pdwDataLen=0xdc8fcdc*=0x2c) returned 1 [0091.339] MapViewOfFile (hFileMappingObject=0x3e0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x4e30000 [0091.343] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdc8fbdc*, pdwDataLen=0xdc8fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xdc8fbdc*, pdwDataLen=0xdc8fcf0*=0x100) returned 1 [0091.343] CryptEncrypt (in: hKey=0x5c9390, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4e30000, pdwDataLen=0xdc8fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x4e30000*, pdwDataLen=0xdc8fcdc*=0x12600) returned 1 [0091.344] UnmapViewOfFile (lpBaseAddress=0x4e30000) returned 1 [0091.345] CloseHandle (hObject=0x3e0) returned 1 [0091.345] CryptDestroyKey (hKey=0x5c9390) returned 1 [0091.345] CryptReleaseContext (hProv=0x5d18b0, dwFlags=0x0) returned 1 [0091.345] SetFilePointerEx (in: hFile=0x3dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.345] WriteFile (in: hFile=0x3dc, lpBuffer=0xdc8fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdc8fcf0, lpOverlapped=0x0 | out: lpBuffer=0xdc8fbdc*, lpNumberOfBytesWritten=0xdc8fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.346] WriteFile (in: hFile=0x3dc, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdc8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xdc8fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.346] CloseHandle (hObject=0x3dc) returned 1 [0091.348] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\kg_tools_them.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.348] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0091.348] lstrcmpW (lpString1=".", lpString2="Media Renderer") returned -1 [0091.348] lstrcmpW (lpString1="..", lpString2="Media Renderer") returned -1 [0091.348] lstrcmpiW (lpString1="windows", lpString2="Media Renderer") returned 1 [0091.348] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.349] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Media Renderer" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer" [0091.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0091.349] GlobalMemoryStatus (in: lpBuffer=0xdc8fd08 | out: lpBuffer=0xdc8fd08) [0091.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0091.349] CloseHandle (hObject=0x3dc) returned 1 [0091.349] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0091.349] lstrcpyW (in: lpString1=0x5a90468, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.349] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0091.349] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0091.350] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mpvis.DLL") returned -1 [0091.350] lstrlenW (lpString="mpvis.DLL") returned 9 [0091.350] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.350] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.350] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="mpvis.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" [0091.350] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" [0091.350] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL id-Br3n0G72wUb8CejT.LyaS" [0091.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" (normalized: "c:\\program files (x86)\\windows media player\\mpvis.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\mpvis.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.350] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0091.350] lstrcmpW (lpString1=".", lpString2="Network Sharing") returned -1 [0091.350] lstrcmpW (lpString1="..", lpString2="Network Sharing") returned -1 [0091.350] lstrcmpiW (lpString1="windows", lpString2="Network Sharing") returned 1 [0091.353] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.353] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Network Sharing" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing" [0091.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\*.*" [0091.353] GlobalMemoryStatus (in: lpBuffer=0xdc8fd08 | out: lpBuffer=0xdc8fd08) [0091.353] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1126f360, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0091.354] CloseHandle (hObject=0x3dc) returned 1 [0091.354] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0091.354] lstrcpyW (in: lpString1=0x5a90468, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0091.354] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0091.355] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="setup_wm.exe") returned -1 [0091.355] lstrlenW (lpString="setup_wm.exe") returned 12 [0091.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0091.355] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0091.355] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="setup_wm.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" [0091.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" [0091.355] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe id-Br3n0G72wUb8CejT.LyaS" [0091.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" (normalized: "c:\\program files (x86)\\windows media player\\setup_wm.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\setup_wm.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0093.233] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0093.233] lstrcmpW (lpString1=".", lpString2="Skins") returned -1 [0093.233] lstrcmpW (lpString1="..", lpString2="Skins") returned -1 [0093.233] lstrcmpiW (lpString1="windows", lpString2="Skins") returned 1 [0094.163] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.163] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.163] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Skins" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins" [0094.163] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*" [0094.163] GlobalMemoryStatus (in: lpBuffer=0xdc8fd08 | out: lpBuffer=0xdc8fd08) [0094.163] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x109e0e60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0094.164] CloseHandle (hObject=0x3f0) returned 1 [0094.164] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.164] lstrcmpW (lpString1=".", lpString2="Visualizations") returned -1 [0094.164] lstrcmpW (lpString1="..", lpString2="Visualizations") returned -1 [0094.164] lstrcmpiW (lpString1="windows", lpString2="Visualizations") returned 1 [0094.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.164] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.164] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Visualizations" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations" [0094.164] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\*.*" [0094.164] GlobalMemoryStatus (in: lpBuffer=0xdc8fd08 | out: lpBuffer=0xdc8fd08) [0094.164] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c28b50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0094.165] CloseHandle (hObject=0x3f0) returned 1 [0094.165] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.165] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.165] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.166] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0094.166] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0094.166] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmlaunch.exe") returned -1 [0094.166] lstrlenW (lpString="wmlaunch.exe") returned 12 [0094.166] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.166] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.166] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmlaunch.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" [0094.166] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" [0094.166] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe id-Br3n0G72wUb8CejT.LyaS" [0094.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmlaunch.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\wmlaunch.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0094.166] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.167] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.167] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.167] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0094.167] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0094.167] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpconfig.exe") returned -1 [0094.167] lstrlenW (lpString="wmpconfig.exe") returned 13 [0094.167] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.167] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.167] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmpconfig.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" [0094.167] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" [0094.167] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe id-Br3n0G72wUb8CejT.LyaS" [0094.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpconfig.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\wmpconfig.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0094.167] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.167] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.168] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.168] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0094.168] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0094.168] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmplayer.exe") returned -1 [0094.168] lstrlenW (lpString="wmplayer.exe") returned 12 [0094.168] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.168] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.168] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmplayer.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" [0094.168] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" [0094.168] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe id-Br3n0G72wUb8CejT.LyaS" [0094.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmplayer.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\wmplayer.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0094.169] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.169] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.169] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.169] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0094.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0094.169] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WMPMediaSharing.dll") returned -1 [0094.169] lstrlenW (lpString="WMPMediaSharing.dll") returned 19 [0094.169] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.169] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.169] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="WMPMediaSharing.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" [0094.169] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" [0094.169] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll id-Br3n0G72wUb8CejT.LyaS" [0094.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpmediasharing.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\wmpmediasharing.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.171] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.171] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.171] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.171] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0094.171] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0094.171] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpnssci.dll") returned -1 [0094.171] lstrlenW (lpString="wmpnssci.dll") returned 12 [0094.171] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.171] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.172] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmpnssci.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" [0094.172] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" [0094.172] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll id-Br3n0G72wUb8CejT.LyaS" [0094.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssci.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssci.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.173] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.173] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.173] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0094.173] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0094.173] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WMPNSSUI.dll") returned -1 [0094.173] lstrlenW (lpString="WMPNSSUI.dll") returned 12 [0094.173] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.173] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="WMPNSSUI.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" [0094.173] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" [0094.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll id-Br3n0G72wUb8CejT.LyaS" [0094.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssui.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.174] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.174] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.174] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.174] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0094.174] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0094.174] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmprph.exe") returned -1 [0094.174] lstrlenW (lpString="wmprph.exe") returned 10 [0094.174] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.174] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.174] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmprph.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" [0094.174] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" [0094.174] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe id-Br3n0G72wUb8CejT.LyaS" [0094.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmprph.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\wmprph.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0094.175] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 1 [0094.175] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.175] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" [0094.175] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows media player\\how to restore files.hta")) returned 0x1 [0094.175] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpshare.exe") returned -1 [0094.175] lstrlenW (lpString="wmpshare.exe") returned 12 [0094.175] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0094.175] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0094.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmpshare.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" [0094.175] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" [0094.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe id-Br3n0G72wUb8CejT.LyaS" [0094.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpshare.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows media player\\wmpshare.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0094.176] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0xdc8fd28 | out: lpFindFileData=0xdc8fd28) returned 0 [0094.176] FindClose (in: hFindFile=0x5c9250 | out: hFindFile=0x5c9250) returned 1 Thread: id = 203 os_tid = 0x640 [0091.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*", lpFindFileData=0xddcfd28 | out: lpFindFileData=0xddcfd28) returned 0x5c9290 [0091.283] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.283] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0xddcfd28 | out: lpFindFileData=0xddcfd28) returned 1 [0091.283] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.283] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.283] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0xddcfd28 | out: lpFindFileData=0xddcfd28) returned 1 [0091.283] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" [0091.283] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned 58 [0091.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\How To Restore Files.hta" [0091.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows multimedia platform\\how to restore files.hta")) returned 0xffffffff [0091.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows multimedia platform\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0091.359] WriteFile (in: hFile=0x3e4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xddcfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xddcfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.360] CloseHandle (hObject=0x3e4) returned 1 [0091.360] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.363] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="pump.exe") returned -1 [0091.363] lstrlenW (lpString="pump.exe") returned 8 [0091.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" [0091.363] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned 58 [0091.363] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\", lpString2="pump.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe" [0091.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe" [0091.363] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe id-Br3n0G72wUb8CejT.LyaS" [0091.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe" (normalized: "c:\\program files (x86)\\windows multimedia platform\\pump.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows multimedia platform\\pump.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows multimedia platform\\pump.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0091.408] CreateFileMappingA (hFile=0x3e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3f0 [0091.408] CryptAcquireContextA (in: phProv=0xddcfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xddcfce4*=0x5d11c8) returned 1 [0091.408] CryptGenKey (in: hProv=0x5d11c8, Algid=0x6610, dwFlags=0x1, phKey=0xddcfce0 | out: phKey=0xddcfce0*=0x5c9450) returned 1 [0091.408] CryptExportKey (in: hKey=0x5c9450, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xddcfbdc, pdwDataLen=0xddcfcdc | out: pbData=0xddcfbdc*, pdwDataLen=0xddcfcdc*=0x2c) returned 1 [0091.408] MapViewOfFile (hFileMappingObject=0x3f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x4e30000 [0093.255] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xddcfbdc*, pdwDataLen=0xddcfcf0*=0x40, dwBufLen=0x100 | out: pbData=0xddcfbdc*, pdwDataLen=0xddcfcf0*=0x100) returned 1 [0093.256] CryptEncrypt (in: hKey=0x5c9450, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4e30000, pdwDataLen=0xddcfcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x4e30000*, pdwDataLen=0xddcfcdc*=0x12600) returned 1 [0094.158] UnmapViewOfFile (lpBaseAddress=0x4e30000) returned 1 [0094.159] CloseHandle (hObject=0x3f0) returned 1 [0094.159] CryptDestroyKey (hKey=0x5c9450) returned 1 [0094.159] CryptReleaseContext (hProv=0x5d11c8, dwFlags=0x0) returned 1 [0094.159] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.159] WriteFile (in: hFile=0x3e4, lpBuffer=0xddcfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xddcfcf0, lpOverlapped=0x0 | out: lpBuffer=0xddcfbdc*, lpNumberOfBytesWritten=0xddcfcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.435] WriteFile (in: hFile=0x3e4, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xddcfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xddcfcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.435] CloseHandle (hObject=0x3e4) returned 1 [0094.440] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\pump.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.683] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0xddcfd28 | out: lpFindFileData=0xddcfd28) returned 1 [0095.683] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" [0095.683] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned 58 [0095.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\How To Restore Files.hta" [0095.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows multimedia platform\\how to restore files.hta")) returned 0x1 [0095.684] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqmapi.dll") returned -1 [0095.684] lstrlenW (lpString="sqmapi.dll") returned 10 [0095.684] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*" [0095.684] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\*.*") returned 58 [0095.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll" [0095.684] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll" [0095.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" [0095.684] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll" (normalized: "c:\\program files (x86)\\windows multimedia platform\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Multimedia Platform\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows multimedia platform\\sqmapi.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.686] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0xddcfd28 | out: lpFindFileData=0xddcfd28) returned 0 [0095.687] FindClose (in: hFindFile=0x5c9290 | out: hFindFile=0x5c9290) returned 1 Thread: id = 204 os_tid = 0x69c [0091.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*", lpFindFileData=0xdf0fd28 | out: lpFindFileData=0xdf0fd28) returned 0x5c92d0 [0091.285] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.285] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xdf0fd28 | out: lpFindFileData=0xdf0fd28) returned 1 [0091.285] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.285] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xdf0fd28 | out: lpFindFileData=0xdf0fd28) returned 1 [0091.285] lstrcmpW (lpString1=".", lpString2="Accessories") returned -1 [0091.285] lstrcmpW (lpString1="..", lpString2="Accessories") returned -1 [0091.285] lstrcmpiW (lpString1="windows", lpString2="Accessories") returned 1 [0091.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" [0091.285] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned 41 [0091.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\", lpString2="Accessories" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories" [0091.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0091.285] GlobalMemoryStatus (in: lpBuffer=0xdf0fd08 | out: lpBuffer=0xdf0fd08) [0091.285] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x64eec0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d8 [0091.286] CloseHandle (hObject=0x3d8) returned 1 [0091.286] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xdf0fd28 | out: lpFindFileData=0xdf0fd28) returned 1 [0091.286] lstrcmpW (lpString1=".", lpString2="TableTextService") returned -1 [0091.286] lstrcmpW (lpString1="..", lpString2="TableTextService") returned -1 [0091.286] lstrcmpiW (lpString1="windows", lpString2="TableTextService") returned 1 [0091.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" [0091.290] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned 41 [0091.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\", lpString2="TableTextService" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService" [0091.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0091.290] GlobalMemoryStatus (in: lpBuffer=0xdf0fd08 | out: lpBuffer=0xdf0fd08) [0091.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x111df0f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d8 [0091.290] CloseHandle (hObject=0x3d8) returned 1 [0091.291] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xdf0fd28 | out: lpFindFileData=0xdf0fd28) returned 0 [0091.291] FindClose (in: hFindFile=0x5c92d0 | out: hFindFile=0x5c92d0) returned 1 Thread: id = 205 os_tid = 0x78c [0091.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*", lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 0x5c92d0 [0091.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.293] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0091.293] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.293] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0091.293] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0091.293] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0091.293] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0091.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.294] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US" [0091.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0091.294] GlobalMemoryStatus (in: lpBuffer=0xe04fd08 | out: lpBuffer=0xe04fd08) [0091.294] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8dc9778, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d8 [0091.294] CloseHandle (hObject=0x3d8) returned 1 [0091.294] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0091.295] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.295] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.295] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" [0091.295] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\how to restore files.hta")) returned 0xffffffff [0091.295] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ec [0091.379] WriteFile (in: hFile=0x3ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xe04fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xe04fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.380] CloseHandle (hObject=0x3ec) returned 1 [0091.380] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.381] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ImagingDevices.exe") returned -1 [0091.381] lstrlenW (lpString="ImagingDevices.exe") returned 18 [0091.381] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.381] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="ImagingDevices.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" [0091.381] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" [0091.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe id-Br3n0G72wUb8CejT.LyaS" [0091.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingdevices.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingdevices.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0091.467] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0091.467] lstrcpyW (in: lpString1=0x3e08390, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" [0091.467] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.468] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ImagingEngine.dll") returned -1 [0091.468] lstrlenW (lpString="ImagingEngine.dll") returned 17 [0091.468] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.468] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="ImagingEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" [0091.468] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" [0091.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll id-Br3n0G72wUb8CejT.LyaS" [0091.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingengine.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingengine.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.715] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0091.715] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.715] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" [0091.715] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.715] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="limousines.exe") returned -1 [0091.715] lstrlenW (lpString="limousines.exe") returned 14 [0091.715] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.715] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="limousines.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe" [0091.715] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe" [0091.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe id-Br3n0G72wUb8CejT.LyaS" [0091.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\limousines.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows photo viewer\\limousines.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.716] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows photo viewer\\limousines.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0091.716] CreateFileMappingA (hFile=0x44c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x450 [0091.716] CryptAcquireContextA (in: phProv=0xe04fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe04fce4*=0x5d14f8) returned 1 [0091.717] CryptGenKey (in: hProv=0x5d14f8, Algid=0x6610, dwFlags=0x1, phKey=0xe04fce0 | out: phKey=0xe04fce0*=0x108052c8) returned 1 [0091.717] CryptExportKey (in: hKey=0x108052c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe04fbdc, pdwDataLen=0xe04fcdc | out: pbData=0xe04fbdc*, pdwDataLen=0xe04fcdc*=0x2c) returned 1 [0091.717] MapViewOfFile (hFileMappingObject=0x450, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x10550000 [0091.721] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe04fbdc*, pdwDataLen=0xe04fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xe04fbdc*, pdwDataLen=0xe04fcf0*=0x100) returned 1 [0091.722] CryptEncrypt (in: hKey=0x108052c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x10550000, pdwDataLen=0xe04fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x10550000*, pdwDataLen=0xe04fcdc*=0x12600) returned 1 [0091.722] UnmapViewOfFile (lpBaseAddress=0x10550000) returned 1 [0091.723] CloseHandle (hObject=0x450) returned 1 [0091.723] CryptDestroyKey (hKey=0x108052c8) returned 1 [0091.723] CryptReleaseContext (hProv=0x5d14f8, dwFlags=0x0) returned 1 [0091.723] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.723] WriteFile (in: hFile=0x44c, lpBuffer=0xe04fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe04fcf0, lpOverlapped=0x0 | out: lpBuffer=0xe04fbdc*, lpNumberOfBytesWritten=0xe04fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.724] WriteFile (in: hFile=0x44c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe04fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xe04fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.724] CloseHandle (hObject=0x44c) returned 1 [0091.726] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\limousines.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.727] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0091.727] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.727] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" [0091.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.727] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotoAcq.dll") returned -1 [0091.727] lstrlenW (lpString="PhotoAcq.dll") returned 12 [0091.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.727] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="PhotoAcq.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" [0091.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" [0091.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll id-Br3n0G72wUb8CejT.LyaS" [0091.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoacq.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoacq.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.728] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0091.728] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.728] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" [0091.728] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.728] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotoBase.dll") returned -1 [0091.728] lstrlenW (lpString="PhotoBase.dll") returned 13 [0091.728] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.728] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="PhotoBase.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" [0091.728] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" [0091.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll id-Br3n0G72wUb8CejT.LyaS" [0091.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photobase.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows photo viewer\\photobase.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.729] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0091.729] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.729] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" [0091.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\how to restore files.hta")) returned 0x1 [0091.729] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotoViewer.dll") returned -1 [0091.729] lstrlenW (lpString="PhotoViewer.dll") returned 15 [0091.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0091.729] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0091.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="PhotoViewer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" [0091.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" [0091.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll id-Br3n0G72wUb8CejT.LyaS" [0091.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoviewer.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoviewer.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0091.730] FindNextFileW (in: hFindFile=0x5c92d0, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 0 [0091.730] FindClose (in: hFindFile=0x5c92d0 | out: hFindFile=0x5c92d0) returned 1 Thread: id = 206 os_tid = 0x6f8 [0091.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*", lpFindFileData=0xe18fd28 | out: lpFindFileData=0xe18fd28) returned 0x5c9310 [0091.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.299] FindNextFileW (in: hFindFile=0x5c9310, lpFindFileData=0xe18fd28 | out: lpFindFileData=0xe18fd28) returned 1 [0091.299] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.299] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.299] FindNextFileW (in: hFindFile=0x5c9310, lpFindFileData=0xe18fd28 | out: lpFindFileData=0xe18fd28) returned 1 [0091.299] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0091.299] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0091.299] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta" [0091.299] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows portable devices\\how to restore files.hta")) returned 0xffffffff [0091.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows portable devices\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x408 [0091.471] WriteFile (in: hFile=0x408, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xe18fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xe18fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.472] CloseHandle (hObject=0x408) returned 1 [0091.473] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.473] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="semiconductor phys.exe") returned -1 [0091.473] lstrlenW (lpString="semiconductor phys.exe") returned 22 [0091.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0091.473] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0091.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="semiconductor phys.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe" [0091.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe" [0091.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe id-Br3n0G72wUb8CejT.LyaS" [0091.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\semiconductor phys.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows portable devices\\semiconductor phys.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.476] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows portable devices\\semiconductor phys.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x408 [0091.477] CreateFileMappingA (hFile=0x408, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x40c [0091.477] CryptAcquireContextA (in: phProv=0xe18fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe18fce4*=0x5d0e98) returned 1 [0091.477] CryptGenKey (in: hProv=0x5d0e98, Algid=0x6610, dwFlags=0x1, phKey=0xe18fce0 | out: phKey=0xe18fce0*=0x10805288) returned 1 [0091.477] CryptExportKey (in: hKey=0x10805288, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe18fbdc, pdwDataLen=0xe18fcdc | out: pbData=0xe18fbdc*, pdwDataLen=0xe18fcdc*=0x2c) returned 1 [0091.477] MapViewOfFile (hFileMappingObject=0x40c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0xe8d0000 [0093.256] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe18fbdc*, pdwDataLen=0xe18fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xe18fbdc*, pdwDataLen=0xe18fcf0*=0x100) returned 1 [0093.257] CryptEncrypt (in: hKey=0x10805288, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xe8d0000, pdwDataLen=0xe18fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0xe8d0000*, pdwDataLen=0xe18fcdc*=0x12600) returned 1 [0094.156] UnmapViewOfFile (lpBaseAddress=0xe8d0000) returned 1 [0094.157] CloseHandle (hObject=0x40c) returned 1 [0094.157] CryptDestroyKey (hKey=0x10805288) returned 1 [0094.157] CryptReleaseContext (hProv=0x5d0e98, dwFlags=0x0) returned 1 [0094.157] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.157] WriteFile (in: hFile=0x408, lpBuffer=0xe18fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe18fcf0, lpOverlapped=0x0 | out: lpBuffer=0xe18fbdc*, lpNumberOfBytesWritten=0xe18fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.441] WriteFile (in: hFile=0x408, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe18fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xe18fcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.441] CloseHandle (hObject=0x408) returned 1 [0094.447] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\semiconductor phys.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.507] FindNextFileW (in: hFindFile=0x5c9310, lpFindFileData=0xe18fd28 | out: lpFindFileData=0xe18fd28) returned 1 [0095.353] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0095.353] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0095.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta" [0095.353] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows portable devices\\how to restore files.hta")) returned 0x1 [0095.353] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="slightly.exe") returned -1 [0095.354] lstrlenW (lpString="slightly.exe") returned 12 [0095.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0095.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0095.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="slightly.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe" [0095.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe" [0095.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe id-Br3n0G72wUb8CejT.LyaS" [0095.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\slightly.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows portable devices\\slightly.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0095.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows portable devices\\slightly.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0095.372] CreateFileMappingA (hFile=0x30c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x344 [0095.372] CryptAcquireContextA (in: phProv=0xe18fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe18fce4*=0x1083cfd0) returned 1 [0095.372] CryptGenKey (in: hProv=0x1083cfd0, Algid=0x6610, dwFlags=0x1, phKey=0xe18fce0 | out: phKey=0xe18fce0*=0x5c8910) returned 1 [0095.372] CryptExportKey (in: hKey=0x5c8910, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe18fbdc, pdwDataLen=0xe18fcdc | out: pbData=0xe18fbdc*, pdwDataLen=0xe18fcdc*=0x2c) returned 1 [0095.372] MapViewOfFile (hFileMappingObject=0x344, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12600) returned 0x4dc0000 [0095.389] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe18fbdc*, pdwDataLen=0xe18fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xe18fbdc*, pdwDataLen=0xe18fcf0*=0x100) returned 1 [0095.390] CryptEncrypt (in: hKey=0x5c8910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000, pdwDataLen=0xe18fcdc*=0x12600, dwBufLen=0x12600 | out: pbData=0x4dc0000*, pdwDataLen=0xe18fcdc*=0x12600) returned 1 [0095.390] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.391] CloseHandle (hObject=0x344) returned 1 [0095.391] CryptDestroyKey (hKey=0x5c8910) returned 1 [0095.391] CryptReleaseContext (hProv=0x1083cfd0, dwFlags=0x0) returned 1 [0095.391] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.391] WriteFile (in: hFile=0x30c, lpBuffer=0xe18fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe18fcf0, lpOverlapped=0x0 | out: lpBuffer=0xe18fbdc*, lpNumberOfBytesWritten=0xe18fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.392] WriteFile (in: hFile=0x30c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe18fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xe18fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.392] CloseHandle (hObject=0x30c) returned 1 [0095.394] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\slightly.exe id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.395] FindNextFileW (in: hFindFile=0x5c9310, lpFindFileData=0xe18fd28 | out: lpFindFileData=0xe18fd28) returned 1 [0095.395] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0095.395] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0095.395] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta" [0095.395] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows portable devices\\how to restore files.hta")) returned 0x1 [0095.396] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqmapi.dll") returned -1 [0095.396] lstrlenW (lpString="sqmapi.dll") returned 10 [0095.396] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0095.396] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0095.396] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" [0095.396] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" [0095.396] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" [0095.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" (normalized: "c:\\program files (x86)\\windows portable devices\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\windows portable devices\\sqmapi.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.482] FindNextFileW (in: hFindFile=0x5c9310, lpFindFileData=0xe18fd28 | out: lpFindFileData=0xe18fd28) returned 0 [0095.482] FindClose (in: hFindFile=0x5c9310 | out: hFindFile=0x5c9310) returned 1 Thread: id = 207 os_tid = 0x5f4 [0091.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*", lpFindFileData=0xe2cfd28 | out: lpFindFileData=0xe2cfd28) returned 0x5c9350 [0091.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.300] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xe2cfd28 | out: lpFindFileData=0xe2cfd28) returned 1 [0091.300] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.300] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xe2cfd28 | out: lpFindFileData=0xe2cfd28) returned 1 [0091.300] lstrcmpW (lpString1=".", lpString2="Gadgets") returned -1 [0091.300] lstrcmpW (lpString1="..", lpString2="Gadgets") returned -1 [0091.300] lstrcmpiW (lpString1="windows", lpString2="Gadgets") returned 1 [0091.304] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0091.304] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0091.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="Gadgets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets" [0091.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0091.304] GlobalMemoryStatus (in: lpBuffer=0xe2cfd08 | out: lpBuffer=0xe2cfd08) [0091.304] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x111f7158, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0091.305] CloseHandle (hObject=0x3e0) returned 1 [0091.305] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xe2cfd28 | out: lpFindFileData=0xe2cfd28) returned 1 [0091.305] lstrcmpW (lpString1=".", lpString2="Shared Gadgets") returned -1 [0091.305] lstrcmpW (lpString1="..", lpString2="Shared Gadgets") returned -1 [0091.305] lstrcmpiW (lpString1="windows", lpString2="Shared Gadgets") returned 1 [0091.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0091.309] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0091.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="Shared Gadgets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets" [0091.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\*.*" [0091.309] GlobalMemoryStatus (in: lpBuffer=0xe2cfd08 | out: lpBuffer=0xe2cfd08) [0091.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1120f1c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0091.310] CloseHandle (hObject=0x3e0) returned 1 [0091.310] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xe2cfd28 | out: lpFindFileData=0xe2cfd28) returned 0 [0091.311] FindClose (in: hFindFile=0x5c9350 | out: hFindFile=0x5c9350) returned 1 Thread: id = 208 os_tid = 0xa64 [0091.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*", lpFindFileData=0xe40fd28 | out: lpFindFileData=0xe40fd28) returned 0x5c9350 [0091.317] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.317] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xe40fd28 | out: lpFindFileData=0xe40fd28) returned 1 [0091.317] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.317] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.317] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xe40fd28 | out: lpFindFileData=0xe40fd28) returned 1 [0091.317] lstrcmpW (lpString1=".", lpString2="Configuration") returned -1 [0091.317] lstrcmpW (lpString1="..", lpString2="Configuration") returned -1 [0091.317] lstrcmpiW (lpString1="windows", lpString2="Configuration") returned 1 [0091.317] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*" [0091.317] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*") returned 48 [0091.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\", lpString2="Configuration" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration" [0091.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*" [0091.317] GlobalMemoryStatus (in: lpBuffer=0xe40fd08 | out: lpBuffer=0xe40fd08) [0091.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e118b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0091.318] CloseHandle (hObject=0x3e0) returned 1 [0091.318] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xe40fd28 | out: lpFindFileData=0xe40fd28) returned 1 [0091.318] lstrcmpW (lpString1=".", lpString2="Modules") returned -1 [0091.318] lstrcmpW (lpString1="..", lpString2="Modules") returned -1 [0091.318] lstrcmpiW (lpString1="windows", lpString2="Modules") returned 1 [0091.319] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*" [0091.319] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\*.*") returned 48 [0091.319] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\", lpString2="Modules" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules" [0091.319] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*" [0091.319] GlobalMemoryStatus (in: lpBuffer=0xe40fd08 | out: lpBuffer=0xe40fd08) [0091.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11227228, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0091.320] CloseHandle (hObject=0x3e0) returned 1 [0091.320] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0xe40fd28 | out: lpFindFileData=0xe40fd28) returned 0 [0091.320] FindClose (in: hFindFile=0x5c9350 | out: hFindFile=0x5c9350) returned 1 Thread: id = 209 os_tid = 0xa54 [0091.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*", lpFindFileData=0xe54fd28 | out: lpFindFileData=0xe54fd28) returned 0x5c9390 [0091.326] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.326] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xe54fd28 | out: lpFindFileData=0xe54fd28) returned 1 [0091.326] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.326] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.326] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xe54fd28 | out: lpFindFileData=0xe54fd28) returned 1 [0091.326] lstrcmpW (lpString1=".", lpString2="Connections") returned -1 [0091.326] lstrcmpW (lpString1="..", lpString2="Connections") returned -1 [0091.326] lstrcmpiW (lpString1="windows", lpString2="Connections") returned 1 [0091.330] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" [0091.330] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned 40 [0091.330] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections" [0091.330] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*.*" [0091.330] GlobalMemoryStatus (in: lpBuffer=0xe54fd08 | out: lpBuffer=0xe54fd08) [0091.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1123f290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0091.330] CloseHandle (hObject=0x3e0) returned 1 [0091.331] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xe54fd28 | out: lpFindFileData=0xe54fd28) returned 1 [0091.331] lstrcmpW (lpString1=".", lpString2="Downloader") returned -1 [0091.331] lstrcmpW (lpString1="..", lpString2="Downloader") returned -1 [0091.331] lstrcmpiW (lpString1="windows", lpString2="Downloader") returned 1 [0091.334] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" [0091.334] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned 40 [0091.334] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\", lpString2="Downloader" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader" [0091.334] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" [0091.334] GlobalMemoryStatus (in: lpBuffer=0xe54fd08 | out: lpBuffer=0xe54fd08) [0091.334] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x112572f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0091.334] CloseHandle (hObject=0x3e0) returned 1 [0091.334] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xe54fd28 | out: lpFindFileData=0xe54fd28) returned 0 [0091.334] FindClose (in: hFindFile=0x5c9390 | out: hFindFile=0x5c9390) returned 1 Thread: id = 210 os_tid = 0x768 [0091.356] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*.*", lpFindFileData=0xe68fd28 | out: lpFindFileData=0xe68fd28) returned 0x5c9390 [0091.356] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.356] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xe68fd28 | out: lpFindFileData=0xe68fd28) returned 1 [0091.356] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.356] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.356] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xe68fd28 | out: lpFindFileData=0xe68fd28) returned 1 [0091.356] lstrcpyW (in: lpString1=0x5a90468, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*.*" [0091.356] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*.*") returned 39 [0091.356] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\How To Restore Files.hta" [0091.356] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\office\\how to restore files.hta")) returned 0xffffffff [0091.356] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\office\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0092.380] WriteFile (in: hFile=0x4e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xe68fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xe68fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.381] CloseHandle (hObject=0x4e8) returned 1 [0092.382] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.382] FindNextFileW (in: hFindFile=0x5c9390, lpFindFileData=0xe68fd28 | out: lpFindFileData=0xe68fd28) returned 0 [0092.382] FindClose (in: hFindFile=0x5c9390 | out: hFindFile=0x5c9390) returned 1 Thread: id = 211 os_tid = 0x4c8 [0091.357] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*", lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 0x5c9410 [0091.404] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.404] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0091.404] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.404] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.404] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0091.404] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0091.404] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0091.404] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\How To Restore Files.hta" [0091.404] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\how to restore files.hta")) returned 0xffffffff [0091.404] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f0 [0091.405] WriteFile (in: hFile=0x3f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xe7cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xe7cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.406] CloseHandle (hObject=0x3f0) returned 1 [0091.406] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.400] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="countrytable.xml") returned 1 [0092.400] lstrlenW (lpString="countrytable.xml") returned 16 [0092.400] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0092.400] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0092.400] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="countrytable.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" [0092.400] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" [0092.400] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml id-Br3n0G72wUb8CejT.LyaS" [0092.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\countrytable.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\provisioning\\countrytable.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0093.376] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.376] lstrcmpW (lpString1=".", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned -1 [0093.376] lstrcmpW (lpString1="..", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned -1 [0093.376] lstrcmpiW (lpString1="windows", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned 1 [0093.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.863] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.863] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" [0093.863] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*" [0093.863] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.863] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c601e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.863] CloseHandle (hObject=0x5c4) returned 1 [0093.863] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.863] lstrcmpW (lpString1=".", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}") returned -1 [0093.863] lstrcmpW (lpString1="..", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}") returned -1 [0093.864] lstrcmpiW (lpString1="windows", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}") returned 1 [0093.867] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.867] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.867] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" [0093.867] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*" [0093.867] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.868] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x211b09f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.868] CloseHandle (hObject=0x5c4) returned 1 [0093.868] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.868] lstrcmpW (lpString1=".", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}") returned -1 [0093.868] lstrcmpW (lpString1="..", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}") returned -1 [0093.868] lstrcmpiW (lpString1="windows", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}") returned 1 [0093.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.872] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.872] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" [0093.872] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*" [0093.872] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.872] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x211c8a58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.873] CloseHandle (hObject=0x5c4) returned 1 [0093.873] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.873] lstrcmpW (lpString1=".", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned -1 [0093.873] lstrcmpW (lpString1="..", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned -1 [0093.873] lstrcmpiW (lpString1="windows", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned 1 [0093.877] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.877] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.877] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" [0093.877] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*" [0093.877] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.877] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x211e0ac0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.878] CloseHandle (hObject=0x5c4) returned 1 [0093.878] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.878] lstrcmpW (lpString1=".", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned -1 [0093.878] lstrcmpW (lpString1="..", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned -1 [0093.878] lstrcmpiW (lpString1="windows", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned 1 [0093.882] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.882] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.882] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" [0093.882] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*" [0093.882] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.882] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x211f8b28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.883] CloseHandle (hObject=0x5c4) returned 1 [0093.883] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.883] lstrcmpW (lpString1=".", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned -1 [0093.883] lstrcmpW (lpString1="..", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned -1 [0093.883] lstrcmpiW (lpString1="windows", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned 1 [0093.887] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.887] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.887] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" [0093.887] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*" [0093.887] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.887] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21210b90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.888] CloseHandle (hObject=0x5c4) returned 1 [0093.888] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.888] lstrcmpW (lpString1=".", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}") returned -1 [0093.888] lstrcmpW (lpString1="..", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}") returned -1 [0093.888] lstrcmpiW (lpString1="windows", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}") returned 1 [0093.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.892] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.892] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" [0093.892] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*" [0093.892] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.892] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21228bf8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.892] CloseHandle (hObject=0x5c4) returned 1 [0093.892] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.892] lstrcmpW (lpString1=".", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned -1 [0093.893] lstrcmpW (lpString1="..", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned -1 [0093.893] lstrcmpiW (lpString1="windows", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned 1 [0093.896] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.896] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.896] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" [0093.896] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*" [0093.896] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21240c60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.897] CloseHandle (hObject=0x5c4) returned 1 [0093.897] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.897] lstrcmpW (lpString1=".", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned -1 [0093.897] lstrcmpW (lpString1="..", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned -1 [0093.897] lstrcmpiW (lpString1="windows", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned 1 [0093.902] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.902] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.902] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" [0093.902] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*" [0093.902] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.902] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21258cc8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.903] CloseHandle (hObject=0x5c4) returned 1 [0093.903] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.903] lstrcmpW (lpString1=".", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned -1 [0093.903] lstrcmpW (lpString1="..", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned -1 [0093.903] lstrcmpiW (lpString1="windows", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned 1 [0093.908] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.908] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.908] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" [0093.908] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*" [0093.908] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21270d30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.909] CloseHandle (hObject=0x5c4) returned 1 [0093.909] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.909] lstrcmpW (lpString1=".", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned -1 [0093.909] lstrcmpW (lpString1="..", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned -1 [0093.909] lstrcmpiW (lpString1="windows", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned 1 [0093.914] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.914] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.914] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" [0093.914] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*" [0093.914] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21288d98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.915] CloseHandle (hObject=0x5c4) returned 1 [0093.915] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.915] lstrcmpW (lpString1=".", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned -1 [0093.915] lstrcmpW (lpString1="..", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned -1 [0093.915] lstrcmpiW (lpString1="windows", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned 1 [0093.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.924] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.925] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" [0093.925] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*" [0093.925] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.925] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x212a0e00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.925] CloseHandle (hObject=0x5c4) returned 1 [0093.926] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 1 [0093.926] lstrcmpW (lpString1=".", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned -1 [0093.926] lstrcmpW (lpString1="..", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned -1 [0093.926] lstrcmpiW (lpString1="windows", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned 1 [0093.931] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*" [0093.931] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*.*") returned 45 [0093.931] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" [0093.931] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*" [0093.931] GlobalMemoryStatus (in: lpBuffer=0xe7cfd08 | out: lpBuffer=0xe7cfd08) [0093.931] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x212b8e68, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c4 [0093.932] CloseHandle (hObject=0x5c4) returned 1 [0093.932] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xe7cfd28 | out: lpFindFileData=0xe7cfd28) returned 0 [0093.932] FindClose (in: hFindFile=0x5c9410 | out: hFindFile=0x5c9410) returned 1 Thread: id = 212 os_tid = 0x85c [0091.367] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*", lpFindFileData=0xe90fd28 | out: lpFindFileData=0xe90fd28) returned 0x5c93d0 [0091.369] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.369] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xe90fd28 | out: lpFindFileData=0xe90fd28) returned 1 [0091.369] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.369] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.369] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xe90fd28 | out: lpFindFileData=0xe90fd28) returned 1 [0091.369] lstrcmpW (lpString1=".", lpString2="Data") returned -1 [0091.369] lstrcmpW (lpString1="..", lpString2="Data") returned -1 [0091.369] lstrcmpiW (lpString1="windows", lpString2="Data") returned 1 [0091.372] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*" [0091.372] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*") returned 39 [0091.372] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\", lpString2="Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data" [0091.372] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*" [0091.372] GlobalMemoryStatus (in: lpBuffer=0xe90fd08 | out: lpBuffer=0xe90fd08) [0091.372] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x112873c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3ec [0091.373] CloseHandle (hObject=0x3ec) returned 1 [0091.373] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xe90fd28 | out: lpFindFileData=0xe90fd28) returned 0 [0091.373] FindClose (in: hFindFile=0x5c93d0 | out: hFindFile=0x5c93d0) returned 1 Thread: id = 213 os_tid = 0xae8 [0091.375] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\*.*", lpFindFileData=0xea4fd28 | out: lpFindFileData=0xea4fd28) returned 0x5c93d0 [0091.376] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.376] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xea4fd28 | out: lpFindFileData=0xea4fd28) returned 1 [0091.376] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.376] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.376] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xea4fd28 | out: lpFindFileData=0xea4fd28) returned 0 [0091.376] FindClose (in: hFindFile=0x5c93d0 | out: hFindFile=0x5c93d0) returned 1 Thread: id = 214 os_tid = 0x4c4 [0091.377] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*", lpFindFileData=0xeb8fd28 | out: lpFindFileData=0xeb8fd28) returned 0x5c93d0 [0091.377] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.377] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xeb8fd28 | out: lpFindFileData=0xeb8fd28) returned 1 [0091.378] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.378] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.378] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xeb8fd28 | out: lpFindFileData=0xeb8fd28) returned 1 [0091.378] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0091.378] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0091.378] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta" [0091.378] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\how to restore files.hta")) returned 0xffffffff [0091.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0094.581] WriteFile (in: hFile=0x4ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xeb8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xeb8fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.582] CloseHandle (hObject=0x4ec) returned 1 [0094.582] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.922] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xeb8fd28 | out: lpFindFileData=0xeb8fd28) returned 1 [0094.922] lstrcpyW (in: lpString1=0x3e37380, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0094.922] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0094.922] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta" [0094.922] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\how to restore files.hta")) returned 0x1 [0097.235] FindNextFileW (in: hFindFile=0x5c93d0, lpFindFileData=0xeb8fd28 | out: lpFindFileData=0xeb8fd28) returned 1 [0097.235] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0097.235] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0097.235] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta" [0097.235] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\how to restore files.hta")) returned 0x1 [0097.235] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="guest.bmp") returned 1 [0097.235] lstrlenW (lpString="guest.bmp") returned 9 [0097.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0097.236] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0097.236] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="guest.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" [0097.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" [0097.236] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp id-Br3n0G72wUb8CejT.LyaS" [0097.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp id-br3n0g72wub8cejt.lyas")) Thread: id = 215 os_tid = 0xc6c [0091.383] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*", lpFindFileData=0xeccfd28 | out: lpFindFileData=0xeccfd28) returned 0x5c9410 [0091.384] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.384] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xeccfd28 | out: lpFindFileData=0xeccfd28) returned 1 [0091.384] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.384] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.384] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xeccfd28 | out: lpFindFileData=0xeccfd28) returned 1 [0091.384] lstrcmpW (lpString1=".", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204") returned -1 [0091.384] lstrcmpW (lpString1="..", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204") returned -1 [0091.384] lstrcmpiW (lpString1="windows", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204") returned 1 [0091.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*" [0091.384] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*") returned 38 [0091.384] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" [0091.384] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*" [0091.384] GlobalMemoryStatus (in: lpBuffer=0xeccfd08 | out: lpBuffer=0xeccfd08) [0091.384] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e71a50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0091.385] CloseHandle (hObject=0x3f0) returned 1 [0091.385] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xeccfd28 | out: lpFindFileData=0xeccfd28) returned 0 [0091.385] FindClose (in: hFindFile=0x5c9410 | out: hFindFile=0x5c9410) returned 1 Thread: id = 216 os_tid = 0x7c4 [0091.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\*.*", lpFindFileData=0xee0fd28 | out: lpFindFileData=0xee0fd28) returned 0x5c9410 [0091.387] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.387] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xee0fd28 | out: lpFindFileData=0xee0fd28) returned 1 [0091.387] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.387] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.387] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xee0fd28 | out: lpFindFileData=0xee0fd28) returned 0 [0091.387] FindClose (in: hFindFile=0x5c9410 | out: hFindFile=0x5c9410) returned 1 Thread: id = 217 os_tid = 0x378 [0091.388] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*", lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 0x2c9ea08 [0093.374] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.375] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0093.375] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.375] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.375] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0093.375] lstrcmpW (lpString1=".", lpString2="Clean Store") returned -1 [0093.375] lstrcmpW (lpString1="..", lpString2="Clean Store") returned -1 [0093.375] lstrcmpiW (lpString1="windows", lpString2="Clean Store") returned 1 [0093.979] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0093.979] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0093.979] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Clean Store" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store" [0093.979] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\*.*" [0093.979] GlobalMemoryStatus (in: lpBuffer=0xef4fd08 | out: lpBuffer=0xef4fd08) [0093.979] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e599e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0093.980] CloseHandle (hObject=0x4d0) returned 1 [0093.980] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0093.980] lstrcmpW (lpString1=".", lpString2="Definition Updates") returned -1 [0093.980] lstrcmpW (lpString1="..", lpString2="Definition Updates") returned -1 [0093.980] lstrcmpiW (lpString1="windows", lpString2="Definition Updates") returned 1 [0093.993] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0093.993] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0093.993] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Definition Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates" [0093.996] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0093.996] GlobalMemoryStatus (in: lpBuffer=0xef4fd08 | out: lpBuffer=0xef4fd08) [0093.996] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x212d0ed0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0093.997] CloseHandle (hObject=0x4d0) returned 1 [0093.997] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0093.997] lstrcmpW (lpString1=".", lpString2="Features") returned -1 [0093.997] lstrcmpW (lpString1="..", lpString2="Features") returned -1 [0093.997] lstrcmpiW (lpString1="windows", lpString2="Features") returned 1 [0094.001] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0094.001] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0094.001] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Features" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features" [0094.001] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\*.*" [0094.001] GlobalMemoryStatus (in: lpBuffer=0xef4fd08 | out: lpBuffer=0xef4fd08) [0094.002] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x212e8f38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0094.002] CloseHandle (hObject=0x4d0) returned 1 [0094.002] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0094.003] lstrcmpW (lpString1=".", lpString2="LocalCopy") returned -1 [0094.003] lstrcmpW (lpString1="..", lpString2="LocalCopy") returned -1 [0094.003] lstrcmpiW (lpString1="windows", lpString2="LocalCopy") returned 1 [0094.008] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0094.008] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0094.009] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="LocalCopy" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy" [0094.009] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*.*" [0094.009] GlobalMemoryStatus (in: lpBuffer=0xef4fd08 | out: lpBuffer=0xef4fd08) [0094.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21300fa0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0094.011] CloseHandle (hObject=0x4d0) returned 1 [0094.012] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0094.012] lstrcmpW (lpString1=".", lpString2="Network Inspection System") returned -1 [0094.012] lstrcmpW (lpString1="..", lpString2="Network Inspection System") returned -1 [0094.012] lstrcmpiW (lpString1="windows", lpString2="Network Inspection System") returned 1 [0094.017] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0094.017] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0094.017] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Network Inspection System" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System" [0094.017] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\*.*" [0094.017] GlobalMemoryStatus (in: lpBuffer=0xef4fd08 | out: lpBuffer=0xef4fd08) [0094.017] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21319008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0094.018] CloseHandle (hObject=0x4d0) returned 1 [0094.018] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0094.018] lstrcmpW (lpString1=".", lpString2="Quarantine") returned -1 [0094.018] lstrcmpW (lpString1="..", lpString2="Quarantine") returned -1 [0094.018] lstrcmpiW (lpString1="windows", lpString2="Quarantine") returned 1 [0094.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0094.024] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0094.024] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Quarantine" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" [0094.024] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*.*" [0094.024] GlobalMemoryStatus (in: lpBuffer=0xef4fd08 | out: lpBuffer=0xef4fd08) [0094.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21331070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0094.025] CloseHandle (hObject=0x4d0) returned 1 [0094.025] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0094.025] lstrcmpW (lpString1=".", lpString2="Scans") returned -1 [0094.025] lstrcmpW (lpString1="..", lpString2="Scans") returned -1 [0094.025] lstrcmpiW (lpString1="windows", lpString2="Scans") returned 1 [0094.031] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0094.031] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0094.031] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Scans" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans" [0094.031] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*" [0094.031] GlobalMemoryStatus (in: lpBuffer=0xef4fd08 | out: lpBuffer=0xef4fd08) [0094.031] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x213490d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0094.032] CloseHandle (hObject=0x4d0) returned 1 [0094.032] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 1 [0094.032] lstrcmpW (lpString1=".", lpString2="Support") returned -1 [0094.032] lstrcmpW (lpString1="..", lpString2="Support") returned -1 [0094.032] lstrcmpiW (lpString1="windows", lpString2="Support") returned 1 [0094.037] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0094.038] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0094.038] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Support" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support" [0094.038] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*" [0094.038] GlobalMemoryStatus (in: lpBuffer=0xef4fd08 | out: lpBuffer=0xef4fd08) [0094.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21361140, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0094.039] CloseHandle (hObject=0x4d0) returned 1 [0094.039] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0xef4fd28 | out: lpFindFileData=0xef4fd28) returned 0 [0094.039] FindClose (in: hFindFile=0x2c9ea08 | out: hFindFile=0x2c9ea08) returned 1 Thread: id = 218 os_tid = 0xf28 [0091.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*", lpFindFileData=0xf08fd28 | out: lpFindFileData=0xf08fd28) returned 0x10804c08 [0092.007] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.007] FindNextFileW (in: hFindFile=0x10804c08, lpFindFileData=0xf08fd28 | out: lpFindFileData=0xf08fd28) returned 1 [0092.007] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.007] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.007] FindNextFileW (in: hFindFile=0x10804c08, lpFindFileData=0xf08fd28 | out: lpFindFileData=0xf08fd28) returned 1 [0092.009] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*" [0092.009] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*") returned 45 [0092.009] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\How To Restore Files.hta" [0092.009] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\windows live\\how to restore files.hta")) returned 0xffffffff [0092.009] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\windows live\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ac [0094.546] WriteFile (in: hFile=0x4ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xf08fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xf08fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.547] CloseHandle (hObject=0x4ac) returned 1 [0094.547] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0095.188] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WLive48x48.png") returned -1 [0095.188] lstrlenW (lpString="WLive48x48.png") returned 14 [0095.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*" [0095.188] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*.*") returned 45 [0095.188] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\", lpString2="WLive48x48.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" [0095.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" [0095.188] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png id-Br3n0G72wUb8CejT.LyaS" [0095.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" (normalized: "c:\\programdata\\microsoft\\windows live\\wlive48x48.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\windows live\\wlive48x48.png id-br3n0g72wub8cejt.lyas")) returned 1 [0095.197] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\windows live\\wlive48x48.png id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0095.197] CreateFileMappingA (hFile=0x4e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x320 [0095.197] CryptAcquireContextA (in: phProv=0xf08fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xf08fce4*=0x1083d9e8) returned 1 [0095.198] CryptGenKey (in: hProv=0x1083d9e8, Algid=0x6610, dwFlags=0x1, phKey=0xf08fce0 | out: phKey=0xf08fce0*=0x5c8e10) returned 1 [0095.198] CryptExportKey (in: hKey=0x5c8e10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xf08fbdc, pdwDataLen=0xf08fcdc | out: pbData=0xf08fbdc*, pdwDataLen=0xf08fcdc*=0x2c) returned 1 [0095.198] MapViewOfFile (hFileMappingObject=0x320, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1220) returned 0x4dc0000 [0095.264] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xf08fbdc*, pdwDataLen=0xf08fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xf08fbdc*, pdwDataLen=0xf08fcf0*=0x100) returned 1 [0095.265] CryptEncrypt (in: hKey=0x5c8e10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000, pdwDataLen=0xf08fcdc*=0x1220, dwBufLen=0x1220 | out: pbData=0x4dc0000*, pdwDataLen=0xf08fcdc*=0x1220) returned 1 [0095.265] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.265] CloseHandle (hObject=0x320) returned 1 [0095.265] CryptDestroyKey (hKey=0x5c8e10) returned 1 [0095.265] CryptReleaseContext (hProv=0x1083d9e8, dwFlags=0x0) returned 1 [0095.265] SetFilePointerEx (in: hFile=0x4e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.265] WriteFile (in: hFile=0x4e0, lpBuffer=0xf08fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xf08fcf0, lpOverlapped=0x0 | out: lpBuffer=0xf08fbdc*, lpNumberOfBytesWritten=0xf08fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.266] WriteFile (in: hFile=0x4e0, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xf08fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xf08fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.266] CloseHandle (hObject=0x4e0) returned 1 [0095.270] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.271] FindNextFileW (in: hFindFile=0x10804c08, lpFindFileData=0xf08fd28 | out: lpFindFileData=0xf08fd28) returned 0 [0095.271] FindClose (in: hFindFile=0x10804c08 | out: hFindFile=0x10804c08) returned 1 Thread: id = 219 os_tid = 0xc70 [0091.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*", lpFindFileData=0xf1cfd28 | out: lpFindFileData=0xf1cfd28) returned 0x10804988 [0092.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.385] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf1cfd28 | out: lpFindFileData=0xf1cfd28) returned 1 [0092.385] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.385] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf1cfd28 | out: lpFindFileData=0xf1cfd28) returned 1 [0092.385] lstrcmpW (lpString1=".", lpString2="MSFax") returned -1 [0092.385] lstrcmpW (lpString1="..", lpString2="MSFax") returned -1 [0092.385] lstrcmpiW (lpString1="windows", lpString2="MSFax") returned 1 [0092.385] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" [0092.385] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned 43 [0092.385] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\", lpString2="MSFax" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax" [0092.385] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" [0092.385] GlobalMemoryStatus (in: lpBuffer=0xf1cfd08 | out: lpBuffer=0xf1cfd08) [0092.385] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ec6388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e8 [0092.386] CloseHandle (hObject=0x4e8) returned 1 [0092.386] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf1cfd28 | out: lpFindFileData=0xf1cfd28) returned 1 [0092.386] lstrcmpW (lpString1=".", lpString2="MSScan") returned -1 [0092.386] lstrcmpW (lpString1="..", lpString2="MSScan") returned -1 [0092.386] lstrcmpiW (lpString1="windows", lpString2="MSScan") returned 1 [0092.386] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" [0092.387] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned 43 [0092.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\", lpString2="MSScan" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan" [0092.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*" [0092.387] GlobalMemoryStatus (in: lpBuffer=0xf1cfd08 | out: lpBuffer=0xf1cfd08) [0092.387] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f31d90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e8 [0092.387] CloseHandle (hObject=0x4e8) returned 1 [0092.387] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf1cfd28 | out: lpFindFileData=0xf1cfd28) returned 0 [0092.388] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 220 os_tid = 0xc74 [0091.395] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*.*", lpFindFileData=0xf30fd28 | out: lpFindFileData=0xf30fd28) returned 0x10804f08 [0092.374] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.374] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xf30fd28 | out: lpFindFileData=0xf30fd28) returned 1 [0092.375] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.375] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.375] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xf30fd28 | out: lpFindFileData=0xf30fd28) returned 1 [0092.375] lstrcmpW (lpString1=".", lpString2="Server") returned -1 [0092.375] lstrcmpW (lpString1="..", lpString2="Server") returned -1 [0092.375] lstrcmpiW (lpString1="windows", lpString2="Server") returned 1 [0092.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*.*" [0092.375] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*.*") returned 41 [0092.375] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\", lpString2="Server" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server" [0092.375] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*.*" [0092.375] GlobalMemoryStatus (in: lpBuffer=0xf30fd08 | out: lpBuffer=0xf30fd08) [0092.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c48180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4ec [0092.376] CloseHandle (hObject=0x4ec) returned 1 [0092.376] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0xf30fd28 | out: lpFindFileData=0xf30fd28) returned 0 [0092.376] FindClose (in: hFindFile=0x10804f08 | out: hFindFile=0x10804f08) returned 1 Thread: id = 221 os_tid = 0xc98 [0091.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*", lpFindFileData=0xf44fd28 | out: lpFindFileData=0xf44fd28) returned 0x10804988 [0092.401] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.401] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf44fd28 | out: lpFindFileData=0xf44fd28) returned 1 [0092.401] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.401] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.401] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf44fd28 | out: lpFindFileData=0xf44fd28) returned 1 [0092.401] lstrcmpW (lpString1=".", lpString2="DMProfiles") returned -1 [0092.401] lstrcmpW (lpString1="..", lpString2="DMProfiles") returned -1 [0092.401] lstrcmpiW (lpString1="windows", lpString2="DMProfiles") returned 1 [0092.401] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*" [0092.401] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*") returned 40 [0092.401] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\", lpString2="DMProfiles" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles" [0092.401] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*.*" [0092.401] GlobalMemoryStatus (in: lpBuffer=0xf44fd08 | out: lpBuffer=0xf44fd08) [0092.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f19d28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e8 [0092.402] CloseHandle (hObject=0x4e8) returned 1 [0092.402] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf44fd28 | out: lpFindFileData=0xf44fd28) returned 1 [0092.402] lstrcmpW (lpString1=".", lpString2="Profiles") returned -1 [0092.403] lstrcmpW (lpString1="..", lpString2="Profiles") returned -1 [0092.403] lstrcmpiW (lpString1="windows", lpString2="Profiles") returned 1 [0092.403] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*" [0092.403] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*") returned 40 [0092.403] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\", lpString2="Profiles" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" [0092.403] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*.*" [0092.403] GlobalMemoryStatus (in: lpBuffer=0xf44fd08 | out: lpBuffer=0xf44fd08) [0092.403] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5bb0948, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e8 [0092.404] CloseHandle (hObject=0x4e8) returned 1 [0092.404] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf44fd28 | out: lpFindFileData=0xf44fd28) returned 0 [0092.404] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 222 os_tid = 0xc9c [0091.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*", lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 0x10805808 [0091.589] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.589] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0091.589] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.589] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.589] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0091.589] lstrcmpW (lpString1=".", lpString2="Reader_15.007.20033") returned -1 [0091.589] lstrcmpW (lpString1="..", lpString2="Reader_15.007.20033") returned -1 [0091.589] lstrcmpiW (lpString1="windows", lpString2="Reader_15.007.20033") returned 1 [0091.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0091.589] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned 32 [0091.589] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\", lpString2="Reader_15.007.20033" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033" [0091.589] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\*.*" [0091.589] GlobalMemoryStatus (in: lpBuffer=0xf58fd08 | out: lpBuffer=0xf58fd08) [0091.590] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105d8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x424 [0091.590] CloseHandle (hObject=0x424) returned 1 [0091.590] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0091.590] lstrcmpW (lpString1=".", lpString2="Reader_15.023.20070") returned -1 [0091.590] lstrcmpW (lpString1="..", lpString2="Reader_15.023.20070") returned -1 [0091.590] lstrcmpiW (lpString1="windows", lpString2="Reader_15.023.20070") returned 1 [0091.590] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0091.590] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned 32 [0091.590] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\", lpString2="Reader_15.023.20070" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070" [0091.590] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\*.*" [0091.590] GlobalMemoryStatus (in: lpBuffer=0xf58fd08 | out: lpBuffer=0xf58fd08) [0091.591] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10590048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x424 [0091.591] CloseHandle (hObject=0x424) returned 1 [0091.592] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0091.592] lstrcmpW (lpString1=".", lpString2="Reader_17.009.20058") returned -1 [0091.592] lstrcmpW (lpString1="..", lpString2="Reader_17.009.20058") returned -1 [0091.592] lstrcmpiW (lpString1="windows", lpString2="Reader_17.009.20058") returned 1 [0091.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0091.592] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned 32 [0091.592] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\", lpString2="Reader_17.009.20058" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.009.20058") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.009.20058" [0091.592] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.009.20058", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.009.20058\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.009.20058\\*.*" [0091.592] GlobalMemoryStatus (in: lpBuffer=0xf58fd08 | out: lpBuffer=0xf58fd08) [0091.592] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x90221a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x424 [0091.593] CloseHandle (hObject=0x424) returned 1 [0091.593] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0091.593] lstrcmpW (lpString1=".", lpString2="Reader_17.012.20098") returned -1 [0091.593] lstrcmpW (lpString1="..", lpString2="Reader_17.012.20098") returned -1 [0091.593] lstrcmpiW (lpString1="windows", lpString2="Reader_17.012.20098") returned 1 [0091.593] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0091.593] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned 32 [0091.593] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\", lpString2="Reader_17.012.20098" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.012.20098") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.012.20098" [0091.593] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.012.20098", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.012.20098\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.012.20098\\*.*" [0091.593] GlobalMemoryStatus (in: lpBuffer=0xf58fd08 | out: lpBuffer=0xf58fd08) [0091.593] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d695d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x424 [0091.593] CloseHandle (hObject=0x424) returned 1 [0091.594] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0091.594] lstrcmpW (lpString1=".", lpString2="S") returned -1 [0091.594] lstrcmpW (lpString1="..", lpString2="S") returned -1 [0091.594] lstrcmpiW (lpString1="windows", lpString2="S") returned 1 [0091.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0091.594] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned 32 [0091.594] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\", lpString2="S" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S" [0091.594] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\*.*" [0091.594] GlobalMemoryStatus (in: lpBuffer=0xf58fd08 | out: lpBuffer=0xf58fd08) [0091.594] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x424 [0091.595] CloseHandle (hObject=0x424) returned 1 [0091.595] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0091.595] lstrcmpW (lpString1=".", lpString2="{291AA914-A987-4CE9-BD63-AC0A92D435E5}") returned -1 [0091.595] lstrcmpW (lpString1="..", lpString2="{291AA914-A987-4CE9-BD63-AC0A92D435E5}") returned -1 [0091.595] lstrcmpiW (lpString1="windows", lpString2="{291AA914-A987-4CE9-BD63-AC0A92D435E5}") returned 1 [0091.595] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0091.595] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned 32 [0091.595] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\", lpString2="{291AA914-A987-4CE9-BD63-AC0A92D435E5}" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}" [0091.595] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\\*.*" [0091.595] GlobalMemoryStatus (in: lpBuffer=0xf58fd08 | out: lpBuffer=0xf58fd08) [0091.595] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x60ede8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x424 [0091.596] CloseHandle (hObject=0x424) returned 1 [0091.596] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 0 [0091.596] FindClose (in: hFindFile=0x10805808 | out: hFindFile=0x10805808) returned 1 Thread: id = 223 os_tid = 0xca0 [0091.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*", lpFindFileData=0xf7cfd28 | out: lpFindFileData=0xf7cfd28) returned 0x5c9410 [0091.398] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.399] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xf7cfd28 | out: lpFindFileData=0xf7cfd28) returned 1 [0091.399] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.399] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xf7cfd28 | out: lpFindFileData=0xf7cfd28) returned 1 [0091.399] lstrcmpW (lpString1=".", lpString2="Local") returned -1 [0091.399] lstrcmpW (lpString1="..", lpString2="Local") returned -1 [0091.399] lstrcmpiW (lpString1="windows", lpString2="Local") returned 1 [0091.399] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*" [0091.399] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*") returned 37 [0091.399] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="Local" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local" [0091.399] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" [0091.399] GlobalMemoryStatus (in: lpBuffer=0xf7cfd08 | out: lpBuffer=0xf7cfd08) [0091.399] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e89ab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f4 [0091.400] CloseHandle (hObject=0x3f4) returned 1 [0091.400] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xf7cfd28 | out: lpFindFileData=0xf7cfd28) returned 1 [0091.400] lstrcmpW (lpString1=".", lpString2="LocalLow") returned -1 [0091.400] lstrcmpW (lpString1="..", lpString2="LocalLow") returned -1 [0091.400] lstrcmpiW (lpString1="windows", lpString2="LocalLow") returned 1 [0091.400] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*" [0091.400] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*") returned 37 [0091.400] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="LocalLow" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow" [0091.400] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" [0091.400] GlobalMemoryStatus (in: lpBuffer=0xf7cfd08 | out: lpBuffer=0xf7cfd08) [0091.400] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8eb9b88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f4 [0091.401] CloseHandle (hObject=0x3f4) returned 1 [0091.401] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xf7cfd28 | out: lpFindFileData=0xf7cfd28) returned 1 [0091.401] lstrcmpW (lpString1=".", lpString2="Roaming") returned -1 [0091.401] lstrcmpW (lpString1="..", lpString2="Roaming") returned -1 [0091.401] lstrcmpiW (lpString1="windows", lpString2="Roaming") returned 1 [0091.401] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*" [0091.401] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\*.*") returned 37 [0091.401] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="Roaming" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming" [0091.401] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*.*" [0091.401] GlobalMemoryStatus (in: lpBuffer=0xf7cfd08 | out: lpBuffer=0xf7cfd08) [0091.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ed1bf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f4 [0091.402] CloseHandle (hObject=0x3f4) returned 1 [0091.402] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0xf7cfd28 | out: lpFindFileData=0xf7cfd28) returned 0 [0091.402] FindClose (in: hFindFile=0x5c9410 | out: hFindFile=0x5c9410) returned 1 Thread: id = 224 os_tid = 0xca4 [0091.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*.*", lpFindFileData=0xf90fd28 | out: lpFindFileData=0xf90fd28) returned 0xffffffff Thread: id = 225 os_tid = 0xca8 [0091.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*", lpFindFileData=0xfa4fd28 | out: lpFindFileData=0xfa4fd28) returned 0x5c8d90 [0091.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.440] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0xfa4fd28 | out: lpFindFileData=0xfa4fd28) returned 1 [0091.440] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.440] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.440] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0xfa4fd28 | out: lpFindFileData=0xfa4fd28) returned 1 [0091.440] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0091.440] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned 38 [0091.440] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" [0091.440] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\how to restore files.hta")) returned 0xffffffff [0091.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x424 [0091.605] WriteFile (in: hFile=0x424, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xfa4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xfa4fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.606] CloseHandle (hObject=0x424) returned 1 [0091.606] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.607] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Aclviho ASldjfl.contact") returned 1 [0091.607] lstrlenW (lpString="Aclviho ASldjfl.contact") returned 23 [0091.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0091.607] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned 38 [0091.607] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="Aclviho ASldjfl.contact" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" [0091.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" [0091.607] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact id-Br3n0G72wUb8CejT.LyaS" [0091.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact id-br3n0g72wub8cejt.lyas")) returned 1 [0091.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0091.835] CreateFileMappingA (hFile=0x464, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x468 [0091.835] CryptAcquireContextA (in: phProv=0xfa4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfa4fce4*=0x5d13e8) returned 1 [0091.836] CryptGenKey (in: hProv=0x5d13e8, Algid=0x6610, dwFlags=0x1, phKey=0xfa4fce0 | out: phKey=0xfa4fce0*=0x108054c8) returned 1 [0091.836] CryptExportKey (in: hKey=0x108054c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfa4fbdc, pdwDataLen=0xfa4fcdc | out: pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcdc*=0x2c) returned 1 [0091.836] MapViewOfFile (hFileMappingObject=0x468, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x480) returned 0x11b60000 [0093.265] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcf0*=0x100) returned 1 [0093.266] CryptEncrypt (in: hKey=0x108054c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x11b60000*, pdwDataLen=0xfa4fcdc*=0x480, dwBufLen=0x480 | out: pbData=0x11b60000*, pdwDataLen=0xfa4fcdc*=0x480) returned 1 [0094.152] UnmapViewOfFile (lpBaseAddress=0x11b60000) returned 1 [0094.152] CloseHandle (hObject=0x468) returned 1 [0094.152] CryptDestroyKey (hKey=0x108054c8) returned 1 [0094.152] CryptReleaseContext (hProv=0x5d13e8, dwFlags=0x0) returned 1 [0094.152] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.152] WriteFile (in: hFile=0x464, lpBuffer=0xfa4fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfa4fcf0, lpOverlapped=0x0 | out: lpBuffer=0xfa4fbdc*, lpNumberOfBytesWritten=0xfa4fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.459] WriteFile (in: hFile=0x464, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfa4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xfa4fcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.459] CloseHandle (hObject=0x464) returned 1 [0094.463] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.507] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0xfa4fd28 | out: lpFindFileData=0xfa4fd28) returned 1 [0095.356] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0095.356] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned 38 [0095.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" [0095.356] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\how to restore files.hta")) returned 0x1 [0095.356] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="asdlfk poopvy.contact") returned 1 [0095.356] lstrlenW (lpString="asdlfk poopvy.contact") returned 21 [0095.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0095.356] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned 38 [0095.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="asdlfk poopvy.contact" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" [0095.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" [0095.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact id-Br3n0G72wUb8CejT.LyaS" [0095.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact id-br3n0g72wub8cejt.lyas")) returned 1 [0095.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0095.468] CreateFileMappingA (hFile=0x370, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3ec [0095.469] CryptAcquireContextA (in: phProv=0xfa4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfa4fce4*=0x1083cfd0) returned 1 [0095.469] CryptGenKey (in: hProv=0x1083cfd0, Algid=0x6610, dwFlags=0x1, phKey=0xfa4fce0 | out: phKey=0xfa4fce0*=0x5c8910) returned 1 [0095.469] CryptExportKey (in: hKey=0x5c8910, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfa4fbdc, pdwDataLen=0xfa4fcdc | out: pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcdc*=0x2c) returned 1 [0095.469] MapViewOfFile (hFileMappingObject=0x3ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x480) returned 0x4dc0000 [0095.548] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcf0*=0x100) returned 1 [0095.549] CryptEncrypt (in: hKey=0x5c8910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000*, pdwDataLen=0xfa4fcdc*=0x480, dwBufLen=0x480 | out: pbData=0x4dc0000*, pdwDataLen=0xfa4fcdc*=0x480) returned 1 [0095.549] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.549] CloseHandle (hObject=0x3ec) returned 1 [0095.549] CryptDestroyKey (hKey=0x5c8910) returned 1 [0095.549] CryptReleaseContext (hProv=0x1083cfd0, dwFlags=0x0) returned 1 [0095.549] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.549] WriteFile (in: hFile=0x370, lpBuffer=0xfa4fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfa4fcf0, lpOverlapped=0x0 | out: lpBuffer=0xfa4fbdc*, lpNumberOfBytesWritten=0xfa4fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.550] WriteFile (in: hFile=0x370, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfa4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xfa4fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.550] CloseHandle (hObject=0x370) returned 1 [0095.551] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.552] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0xfa4fd28 | out: lpFindFileData=0xfa4fd28) returned 1 [0095.552] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0095.552] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned 38 [0095.552] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" [0095.552] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\how to restore files.hta")) returned 0x1 [0095.552] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="chucu jadnvk.contact") returned 1 [0095.552] lstrlenW (lpString="chucu jadnvk.contact") returned 20 [0095.552] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0095.552] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned 38 [0095.552] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="chucu jadnvk.contact" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" [0095.552] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" [0095.552] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact id-Br3n0G72wUb8CejT.LyaS" [0095.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact id-br3n0g72wub8cejt.lyas")) returned 1 [0095.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0095.554] CreateFileMappingA (hFile=0x370, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3ec [0095.554] CryptAcquireContextA (in: phProv=0xfa4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfa4fce4*=0x1083d168) returned 1 [0095.555] CryptGenKey (in: hProv=0x1083d168, Algid=0x6610, dwFlags=0x1, phKey=0xfa4fce0 | out: phKey=0xfa4fce0*=0x5c8c10) returned 1 [0095.555] CryptExportKey (in: hKey=0x5c8c10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfa4fbdc, pdwDataLen=0xfa4fcdc | out: pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcdc*=0x2c) returned 1 [0095.555] MapViewOfFile (hFileMappingObject=0x3ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x480) returned 0x4dc0000 [0096.366] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xfa4fbdc*, pdwDataLen=0xfa4fcf0*=0x100) returned 1 [0096.366] CryptEncrypt (in: hKey=0x5c8c10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000*, pdwDataLen=0xfa4fcdc*=0x480, dwBufLen=0x480 | out: pbData=0x4dc0000*, pdwDataLen=0xfa4fcdc*=0x480) returned 1 [0096.366] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0096.370] CloseHandle (hObject=0x3ec) returned 1 [0096.370] CryptDestroyKey (hKey=0x5c8c10) returned 1 [0096.370] CryptReleaseContext (hProv=0x1083d168, dwFlags=0x0) returned 1 [0096.370] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.371] WriteFile (in: hFile=0x370, lpBuffer=0xfa4fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfa4fcf0, lpOverlapped=0x0 | out: lpBuffer=0xfa4fbdc*, lpNumberOfBytesWritten=0xfa4fcf0*=0x100, lpOverlapped=0x0) returned 1 [0096.604] WriteFile (in: hFile=0x370, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfa4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xfa4fcf0*=0x500, lpOverlapped=0x0) returned 1 [0096.605] CloseHandle (hObject=0x370) returned 1 [0096.611] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0096.612] FindNextFileW (in: hFindFile=0x5c8d90, lpFindFileData=0xfa4fd28 | out: lpFindFileData=0xfa4fd28) returned 1 [0097.009] lstrcpyW (in: lpString1=0x3df0328, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0097.009] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned 38 [0097.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" [0097.009] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\how to restore files.hta")) returned 0x1 [0097.009] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0097.009] lstrlenW (lpString="desktop.ini") returned 11 [0097.009] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*" [0097.009] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*.*") returned 38 [0097.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini" [0097.009] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini" [0097.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0097.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\desktop.ini id-br3n0g72wub8cejt.lyas")) Thread: id = 226 os_tid = 0xcac [0091.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*.*", lpFindFileData=0xfb8fd28 | out: lpFindFileData=0xfb8fd28) returned 0xffffffff Thread: id = 227 os_tid = 0xcb0 [0091.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*", lpFindFileData=0xfccfd28 | out: lpFindFileData=0xfccfd28) returned 0x5955a8 [0091.443] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.443] FindNextFileW (in: hFindFile=0x5955a8, lpFindFileData=0xfccfd28 | out: lpFindFileData=0xfccfd28) returned 1 [0091.443] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.443] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.443] FindNextFileW (in: hFindFile=0x5955a8, lpFindFileData=0xfccfd28 | out: lpFindFileData=0xfccfd28) returned 1 [0091.443] lstrcmpW (lpString1=".", lpString2="0GI1oJfD7KPwXadVyJB") returned -1 [0091.443] lstrcmpW (lpString1="..", lpString2="0GI1oJfD7KPwXadVyJB") returned -1 [0091.443] lstrcmpiW (lpString1="windows", lpString2="0GI1oJfD7KPwXadVyJB") returned 1 [0091.443] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" [0091.443] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned 37 [0091.443] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="0GI1oJfD7KPwXadVyJB" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB" [0091.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\*.*" [0091.444] GlobalMemoryStatus (in: lpBuffer=0xfccfd08 | out: lpBuffer=0xfccfd08) [0091.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3ed0008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3fc [0091.444] CloseHandle (hObject=0x3fc) returned 1 [0091.444] FindNextFileW (in: hFindFile=0x5955a8, lpFindFileData=0xfccfd28 | out: lpFindFileData=0xfccfd28) returned 1 [0091.444] lstrcpyW (in: lpString1=0x107c0940, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" [0091.445] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned 37 [0091.445] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\How To Restore Files.hta" [0091.445] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\how to restore files.hta")) returned 0xffffffff [0091.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x584 [0092.816] WriteFile (in: hFile=0x584, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xfccfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xfccfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.816] CloseHandle (hObject=0x584) returned 1 [0093.111] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.924] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="1PIfCh65fn7.docx") returned 1 [0094.924] lstrlenW (lpString="1PIfCh65fn7.docx") returned 16 [0094.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" [0094.924] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned 37 [0094.924] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="1PIfCh65fn7.docx" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx" [0094.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx" [0094.924] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx id-Br3n0G72wUb8CejT.LyaS" [0094.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\1pifch65fn7.docx"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\1pifch65fn7.docx id-br3n0g72wub8cejt.lyas")) returned 1 [0101.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\1PIfCh65fn7.docx id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\1pifch65fn7.docx id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 228 os_tid = 0xcb4 [0091.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*", lpFindFileData=0xfe0fd28 | out: lpFindFileData=0xfe0fd28) returned 0x5956e8 [0091.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.455] FindNextFileW (in: hFindFile=0x5956e8, lpFindFileData=0xfe0fd28 | out: lpFindFileData=0xfe0fd28) returned 1 [0091.455] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.455] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.455] FindNextFileW (in: hFindFile=0x5956e8, lpFindFileData=0xfe0fd28 | out: lpFindFileData=0xfe0fd28) returned 1 [0091.455] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0091.455] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0091.455] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" [0091.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\how to restore files.hta")) returned 0xffffffff [0091.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0091.618] WriteFile (in: hFile=0x438, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xfe0fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.619] CloseHandle (hObject=0x438) returned 1 [0091.619] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.619] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="2RMYqU6OwcaNfG5QwG.pptx") returned 1 [0091.619] lstrlenW (lpString="2RMYqU6OwcaNfG5QwG.pptx") returned 23 [0091.619] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0091.619] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0091.619] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="2RMYqU6OwcaNfG5QwG.pptx" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx" [0091.620] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx" [0091.620] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx id-Br3n0G72wUb8CejT.LyaS" [0091.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\2rmyqu6owcanfg5qwg.pptx"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\2rmyqu6owcanfg5qwg.pptx id-br3n0g72wub8cejt.lyas")) returned 1 [0091.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\2rmyqu6owcanfg5qwg.pptx id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0091.621] CreateFileMappingA (hFile=0x438, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x43c [0091.621] CryptAcquireContextA (in: phProv=0xfe0fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfe0fce4*=0x5d14f8) returned 1 [0091.621] CryptGenKey (in: hProv=0x5d14f8, Algid=0x6610, dwFlags=0x1, phKey=0xfe0fce0 | out: phKey=0xfe0fce0*=0x108051c8) returned 1 [0091.621] CryptExportKey (in: hKey=0x108051c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfe0fbdc, pdwDataLen=0xfe0fcdc | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcdc*=0x2c) returned 1 [0091.621] MapViewOfFile (hFileMappingObject=0x43c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x87c0) returned 0xf450000 [0091.624] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x100) returned 1 [0091.625] CryptEncrypt (in: hKey=0x108051c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xf450000, pdwDataLen=0xfe0fcdc*=0x87c0, dwBufLen=0x87c0 | out: pbData=0xf450000*, pdwDataLen=0xfe0fcdc*=0x87c0) returned 1 [0091.625] UnmapViewOfFile (lpBaseAddress=0xf450000) returned 1 [0091.625] CloseHandle (hObject=0x43c) returned 1 [0091.625] CryptDestroyKey (hKey=0x108051c8) returned 1 [0091.625] CryptReleaseContext (hProv=0x5d14f8, dwFlags=0x0) returned 1 [0091.625] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.626] WriteFile (in: hFile=0x438, lpBuffer=0xfe0fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0xfe0fbdc*, lpNumberOfBytesWritten=0xfe0fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.626] WriteFile (in: hFile=0x438, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xfe0fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.626] CloseHandle (hObject=0x438) returned 1 [0091.630] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\2RMYqU6OwcaNfG5QwG.pptx id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.630] FindNextFileW (in: hFindFile=0x5956e8, lpFindFileData=0xfe0fd28 | out: lpFindFileData=0xfe0fd28) returned 1 [0091.630] lstrcmpW (lpString1=".", lpString2="8qeDlOZ") returned -1 [0091.630] lstrcmpW (lpString1="..", lpString2="8qeDlOZ") returned -1 [0091.630] lstrcmpiW (lpString1="windows", lpString2="8qeDlOZ") returned 1 [0091.630] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0091.630] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0091.630] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="8qeDlOZ" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ" [0091.631] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\*.*" [0091.631] GlobalMemoryStatus (in: lpBuffer=0xfe0fd08 | out: lpBuffer=0xfe0fd08) [0091.631] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2ca8008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0091.631] CloseHandle (hObject=0x438) returned 1 [0091.631] FindNextFileW (in: hFindFile=0x5956e8, lpFindFileData=0xfe0fd28 | out: lpFindFileData=0xfe0fd28) returned 1 [0091.631] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0091.631] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0091.631] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" [0091.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\how to restore files.hta")) returned 0x1 [0091.632] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="9f-BbJpQsNgzH8xy.ots") returned 1 [0091.632] lstrlenW (lpString="9f-BbJpQsNgzH8xy.ots") returned 20 [0091.632] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0091.632] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0091.632] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="9f-BbJpQsNgzH8xy.ots" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots" [0091.632] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots" [0091.632] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots id-Br3n0G72wUb8CejT.LyaS" [0091.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9f-bbjpqsngzh8xy.ots"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9f-bbjpqsngzh8xy.ots id-br3n0g72wub8cejt.lyas")) returned 1 [0091.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9f-bbjpqsngzh8xy.ots id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0091.633] CreateFileMappingA (hFile=0x438, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x43c [0091.633] CryptAcquireContextA (in: phProv=0xfe0fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfe0fce4*=0x5d1250) returned 1 [0091.633] CryptGenKey (in: hProv=0x5d1250, Algid=0x6610, dwFlags=0x1, phKey=0xfe0fce0 | out: phKey=0xfe0fce0*=0x108051c8) returned 1 [0091.634] CryptExportKey (in: hKey=0x108051c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfe0fbdc, pdwDataLen=0xfe0fcdc | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcdc*=0x2c) returned 1 [0091.634] MapViewOfFile (hFileMappingObject=0x43c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f20) returned 0x101d0000 [0091.636] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x100) returned 1 [0091.636] CryptEncrypt (in: hKey=0x108051c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x101d0000*, pdwDataLen=0xfe0fcdc*=0x6f20, dwBufLen=0x6f20 | out: pbData=0x101d0000*, pdwDataLen=0xfe0fcdc*=0x6f20) returned 1 [0091.637] UnmapViewOfFile (lpBaseAddress=0x101d0000) returned 1 [0091.637] CloseHandle (hObject=0x43c) returned 1 [0091.637] CryptDestroyKey (hKey=0x108051c8) returned 1 [0091.637] CryptReleaseContext (hProv=0x5d1250, dwFlags=0x0) returned 1 [0091.637] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.637] WriteFile (in: hFile=0x438, lpBuffer=0xfe0fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0xfe0fbdc*, lpNumberOfBytesWritten=0xfe0fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.637] WriteFile (in: hFile=0x438, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xfe0fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.638] CloseHandle (hObject=0x438) returned 1 [0093.260] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\9f-BbJpQsNgzH8xy.ots id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0093.261] FindNextFileW (in: hFindFile=0x5956e8, lpFindFileData=0xfe0fd28 | out: lpFindFileData=0xfe0fd28) returned 1 [0094.152] lstrcpyW (in: lpString1=0x8d91650, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0094.152] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0094.152] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" [0094.152] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\how to restore files.hta")) returned 0x1 [0094.153] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ciEYcg BbzFlEAagVLi.pptx") returned 1 [0094.153] lstrlenW (lpString="ciEYcg BbzFlEAagVLi.pptx") returned 24 [0094.153] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0094.153] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0094.153] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="ciEYcg BbzFlEAagVLi.pptx" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx" [0094.153] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx" [0094.153] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx id-Br3n0G72wUb8CejT.LyaS" [0094.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cieycg bbzfleaagvli.pptx"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cieycg bbzfleaagvli.pptx id-br3n0g72wub8cejt.lyas")) returned 1 [0094.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cieycg bbzfleaagvli.pptx id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0094.542] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x348 [0094.542] CryptAcquireContextA (in: phProv=0xfe0fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfe0fce4*=0x1083d278) returned 1 [0095.272] CryptGenKey (in: hProv=0x1083d278, Algid=0x6610, dwFlags=0x1, phKey=0xfe0fce0 | out: phKey=0xfe0fce0*=0x5c8e10) returned 1 [0095.272] CryptExportKey (in: hKey=0x5c8e10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfe0fbdc, pdwDataLen=0xfe0fcdc | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcdc*=0x2c) returned 1 [0095.272] MapViewOfFile (hFileMappingObject=0x348, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18860) returned 0x4dc0000 [0095.276] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x100) returned 1 [0095.277] CryptEncrypt (in: hKey=0x5c8e10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000, pdwDataLen=0xfe0fcdc*=0x18860, dwBufLen=0x18860 | out: pbData=0x4dc0000*, pdwDataLen=0xfe0fcdc*=0x18860) returned 1 [0095.277] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.278] CloseHandle (hObject=0x348) returned 1 [0095.278] CryptDestroyKey (hKey=0x5c8e10) returned 1 [0095.278] CryptReleaseContext (hProv=0x1083d278, dwFlags=0x0) returned 1 [0095.278] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.279] WriteFile (in: hFile=0x31c, lpBuffer=0xfe0fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0xfe0fbdc*, lpNumberOfBytesWritten=0xfe0fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.279] WriteFile (in: hFile=0x31c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xfe0fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.279] CloseHandle (hObject=0x31c) returned 1 [0095.283] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\ciEYcg BbzFlEAagVLi.pptx id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.283] FindNextFileW (in: hFindFile=0x5956e8, lpFindFileData=0xfe0fd28 | out: lpFindFileData=0xfe0fd28) returned 1 [0095.283] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0095.283] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0095.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" [0095.283] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\how to restore files.hta")) returned 0x1 [0095.283] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="d43nQxH.docx") returned 1 [0095.283] lstrlenW (lpString="d43nQxH.docx") returned 12 [0095.283] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0095.283] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0095.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="d43nQxH.docx" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx" [0095.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx" [0095.284] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx id-Br3n0G72wUb8CejT.LyaS" [0095.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\d43nqxh.docx"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\d43nqxh.docx id-br3n0g72wub8cejt.lyas")) returned 1 [0095.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\d43nqxh.docx id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0095.285] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x348 [0095.285] CryptAcquireContextA (in: phProv=0xfe0fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfe0fce4*=0x1083ce38) returned 1 [0095.285] CryptGenKey (in: hProv=0x1083ce38, Algid=0x6610, dwFlags=0x1, phKey=0xfe0fce0 | out: phKey=0xfe0fce0*=0x5c8e10) returned 1 [0095.285] CryptExportKey (in: hKey=0x5c8e10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfe0fbdc, pdwDataLen=0xfe0fcdc | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcdc*=0x2c) returned 1 [0095.285] MapViewOfFile (hFileMappingObject=0x348, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9820) returned 0x4dc0000 [0095.288] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x100) returned 1 [0095.289] CryptEncrypt (in: hKey=0x5c8e10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000, pdwDataLen=0xfe0fcdc*=0x9820, dwBufLen=0x9820 | out: pbData=0x4dc0000*, pdwDataLen=0xfe0fcdc*=0x9820) returned 1 [0095.289] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.289] CloseHandle (hObject=0x348) returned 1 [0095.290] CryptDestroyKey (hKey=0x5c8e10) returned 1 [0095.290] CryptReleaseContext (hProv=0x1083ce38, dwFlags=0x0) returned 1 [0095.290] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.290] WriteFile (in: hFile=0x31c, lpBuffer=0xfe0fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0xfe0fbdc*, lpNumberOfBytesWritten=0xfe0fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.290] WriteFile (in: hFile=0x31c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0xfe0fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.290] CloseHandle (hObject=0x31c) returned 1 [0095.298] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\d43nQxH.docx id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.299] FindNextFileW (in: hFindFile=0x5956e8, lpFindFileData=0xfe0fd28 | out: lpFindFileData=0xfe0fd28) returned 1 [0095.299] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0095.299] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0095.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" [0095.299] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\how to restore files.hta")) returned 0x1 [0095.299] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Database1.accdb") returned 1 [0095.299] lstrlenW (lpString="Database1.accdb") returned 15 [0095.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*" [0095.299] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\*.*") returned 39 [0095.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Database1.accdb" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" [0095.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" [0095.300] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb id-Br3n0G72wUb8CejT.LyaS" [0095.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb id-br3n0g72wub8cejt.lyas")) returned 1 [0095.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0095.301] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x348 [0095.301] CryptAcquireContextA (in: phProv=0xfe0fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfe0fce4*=0x1083cec0) returned 1 [0095.301] CryptGenKey (in: hProv=0x1083cec0, Algid=0x6610, dwFlags=0x1, phKey=0xfe0fce0 | out: phKey=0xfe0fce0*=0x5c8e10) returned 1 [0095.301] CryptExportKey (in: hKey=0x5c8e10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfe0fbdc, pdwDataLen=0xfe0fcdc | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcdc*=0x2c) returned 1 [0095.301] MapViewOfFile (hFileMappingObject=0x348, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x57000) returned 0x28130000 [0095.337] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xfe0fbdc*, pdwDataLen=0xfe0fcf0*=0x100) returned 1 [0095.337] CryptEncrypt (in: hKey=0x5c8e10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28130000, pdwDataLen=0xfe0fcdc*=0x57000, dwBufLen=0x57000 | out: pbData=0x28130000*, pdwDataLen=0xfe0fcdc*=0x57000) returned 1 [0098.949] UnmapViewOfFile (lpBaseAddress=0x28130000) returned 1 [0098.952] CloseHandle (hObject=0x348) returned 1 [0098.952] CryptDestroyKey (hKey=0x5c8e10) returned 1 [0098.952] CryptReleaseContext (hProv=0x1083cec0, dwFlags=0x0) returned 1 [0098.952] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.953] WriteFile (hFile=0x31c, lpBuffer=0xfe0fbdc, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfe0fcf0, lpOverlapped=0x0) Thread: id = 229 os_tid = 0x780 [0091.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*", lpFindFileData=0xff4fd28 | out: lpFindFileData=0xff4fd28) returned 0x10805708 [0091.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.459] FindNextFileW (in: hFindFile=0x10805708, lpFindFileData=0xff4fd28 | out: lpFindFileData=0xff4fd28) returned 1 [0091.459] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.459] FindNextFileW (in: hFindFile=0x10805708, lpFindFileData=0xff4fd28 | out: lpFindFileData=0xff4fd28) returned 1 [0091.460] lstrcpyW (in: lpString1=0x3f28870, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*" [0091.460] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*") returned 39 [0091.460] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\How To Restore Files.hta" [0091.460] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\how to restore files.hta")) returned 0xffffffff [0091.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0091.647] WriteFile (in: hFile=0x43c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0xff4fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xff4fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.648] CloseHandle (hObject=0x43c) returned 1 [0091.648] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.649] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ChromeSetup.exe") returned 1 [0091.649] lstrlenW (lpString="ChromeSetup.exe") returned 15 [0091.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*" [0091.649] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*.*") returned 39 [0091.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="ChromeSetup.exe" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe" [0091.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe" [0091.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe id-Br3n0G72wUb8CejT.LyaS" [0091.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\chromesetup.exe"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\chromesetup.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0091.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\chromesetup.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0091.651] CreateFileMappingA (hFile=0x43c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x440 [0091.651] CryptAcquireContextA (in: phProv=0xff4fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xff4fce4*=0x5d1250) returned 1 [0091.651] CryptGenKey (in: hProv=0x5d1250, Algid=0x6610, dwFlags=0x1, phKey=0xff4fce0 | out: phKey=0xff4fce0*=0x108051c8) returned 1 [0091.651] CryptExportKey (in: hKey=0x108051c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xff4fbdc, pdwDataLen=0xff4fcdc | out: pbData=0xff4fbdc*, pdwDataLen=0xff4fcdc*=0x2c) returned 1 [0091.651] MapViewOfFile (hFileMappingObject=0x440, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x101d0000 [0094.280] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff4fbdc*, pdwDataLen=0xff4fcf0*=0x40, dwBufLen=0x100 | out: pbData=0xff4fbdc*, pdwDataLen=0xff4fcf0*=0x100) returned 1 [0094.281] CryptEncrypt (hKey=0x108051c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x101d0000, pdwDataLen=0xff4fcdc*=0x100000, dwBufLen=0x100000) Thread: id = 230 os_tid = 0x7b4 [0091.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*", lpFindFileData=0x1008fd28 | out: lpFindFileData=0x1008fd28) returned 0x10805548 [0091.873] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.873] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x1008fd28 | out: lpFindFileData=0x1008fd28) returned 1 [0091.873] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.873] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.873] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x1008fd28 | out: lpFindFileData=0x1008fd28) returned 1 [0091.873] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" [0091.873] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned 39 [0091.873] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\How To Restore Files.hta" [0091.873] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\how to restore files.hta")) returned 0xffffffff [0091.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ac [0094.550] WriteFile (in: hFile=0x4ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1008fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1008fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.551] CloseHandle (hObject=0x4ac) returned 1 [0094.551] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.961] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Bing.url") returned 1 [0094.961] lstrlenW (lpString="Bing.url") returned 8 [0094.961] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" [0094.961] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned 39 [0094.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="Bing.url" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" [0094.961] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" [0094.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url id-Br3n0G72wUb8CejT.LyaS" [0094.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url id-br3n0g72wub8cejt.lyas")) returned 1 [0095.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0095.108] CreateFileMappingA (hFile=0x320, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x61c [0095.108] CryptAcquireContextA (in: phProv=0x1008fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1008fce4*=0x1083d058) returned 1 [0095.109] CryptGenKey (in: hProv=0x1083d058, Algid=0x6610, dwFlags=0x1, phKey=0x1008fce0 | out: phKey=0x1008fce0*=0x5c9250) returned 1 [0095.109] CryptExportKey (in: hKey=0x5c9250, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1008fbdc, pdwDataLen=0x1008fcdc | out: pbData=0x1008fbdc*, pdwDataLen=0x1008fcdc*=0x2c) returned 1 [0095.109] MapViewOfFile (hFileMappingObject=0x61c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc0) returned 0x31f0000 [0095.126] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1008fbdc*, pdwDataLen=0x1008fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1008fbdc*, pdwDataLen=0x1008fcf0*=0x100) returned 1 [0095.127] CryptEncrypt (in: hKey=0x5c9250, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31f0000*, pdwDataLen=0x1008fcdc*=0xc0, dwBufLen=0xc0 | out: pbData=0x31f0000*, pdwDataLen=0x1008fcdc*=0xc0) returned 1 [0095.127] UnmapViewOfFile (lpBaseAddress=0x31f0000) returned 1 [0095.127] CloseHandle (hObject=0x61c) returned 1 [0095.127] CryptDestroyKey (hKey=0x5c9250) returned 1 [0095.127] CryptReleaseContext (hProv=0x1083d058, dwFlags=0x0) returned 1 [0095.127] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.127] WriteFile (in: hFile=0x320, lpBuffer=0x1008fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1008fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1008fbdc*, lpNumberOfBytesWritten=0x1008fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.128] WriteFile (in: hFile=0x320, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1008fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1008fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.132] CloseHandle (hObject=0x320) returned 1 [0095.136] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.136] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x1008fd28 | out: lpFindFileData=0x1008fd28) returned 1 [0095.136] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" [0095.136] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned 39 [0095.136] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\How To Restore Files.hta" [0095.136] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\how to restore files.hta")) returned 0x1 [0095.136] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0095.136] lstrlenW (lpString="desktop.ini") returned 11 [0095.136] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" [0095.137] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned 39 [0095.137] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini" [0095.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini" [0095.137] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0095.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0095.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0095.138] CreateFileMappingA (hFile=0x320, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0095.138] CryptAcquireContextA (in: phProv=0x1008fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1008fce4*=0x1083cdb0) returned 1 [0095.139] CryptGenKey (in: hProv=0x1083cdb0, Algid=0x6610, dwFlags=0x1, phKey=0x1008fce0 | out: phKey=0x1008fce0*=0x5c8e10) returned 1 [0095.139] CryptExportKey (in: hKey=0x5c8e10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1008fbdc, pdwDataLen=0x1008fcdc | out: pbData=0x1008fbdc*, pdwDataLen=0x1008fcdc*=0x2c) returned 1 [0095.139] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x31f0000 [0095.142] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1008fbdc*, pdwDataLen=0x1008fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1008fbdc*, pdwDataLen=0x1008fcf0*=0x100) returned 1 [0095.142] CryptEncrypt (in: hKey=0x5c8e10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31f0000*, pdwDataLen=0x1008fcdc*=0x180, dwBufLen=0x180 | out: pbData=0x31f0000*, pdwDataLen=0x1008fcdc*=0x180) returned 1 [0095.142] UnmapViewOfFile (lpBaseAddress=0x31f0000) returned 1 [0095.142] CloseHandle (hObject=0x5b4) returned 1 [0095.142] CryptDestroyKey (hKey=0x5c8e10) returned 1 [0095.143] CryptReleaseContext (hProv=0x1083cdb0, dwFlags=0x0) returned 1 [0095.143] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.143] WriteFile (in: hFile=0x320, lpBuffer=0x1008fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1008fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1008fbdc*, lpNumberOfBytesWritten=0x1008fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.146] WriteFile (in: hFile=0x320, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1008fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1008fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.146] CloseHandle (hObject=0x320) returned 1 [0095.154] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.154] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x1008fd28 | out: lpFindFileData=0x1008fd28) returned 1 [0095.154] lstrcmpW (lpString1=".", lpString2="Links") returned -1 [0095.154] lstrcmpW (lpString1="..", lpString2="Links") returned -1 [0095.154] lstrcmpiW (lpString1="windows", lpString2="Links") returned 1 [0095.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*" [0095.155] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*.*") returned 39 [0095.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="Links" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links" [0095.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*.*" [0095.155] GlobalMemoryStatus (in: lpBuffer=0x1008fd08 | out: lpBuffer=0x1008fd08) [0095.155] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10d11c30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0095.156] CloseHandle (hObject=0x320) returned 1 [0095.156] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x1008fd28 | out: lpFindFileData=0x1008fd28) returned 0 [0095.156] FindClose (in: hFindFile=0x10805548 | out: hFindFile=0x10805548) returned 1 Thread: id = 231 os_tid = 0x52c [0091.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*", lpFindFileData=0x101cfd28 | out: lpFindFileData=0x101cfd28) returned 0x10805588 [0091.873] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.873] FindNextFileW (in: hFindFile=0x10805588, lpFindFileData=0x101cfd28 | out: lpFindFileData=0x101cfd28) returned 1 [0091.874] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.874] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.874] FindNextFileW (in: hFindFile=0x10805588, lpFindFileData=0x101cfd28 | out: lpFindFileData=0x101cfd28) returned 1 [0091.874] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" [0091.874] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned 35 [0091.874] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta" [0091.874] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\how to restore files.hta")) returned 0xffffffff [0091.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0092.090] WriteFile (in: hFile=0x45c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x101cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x101cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.090] CloseHandle (hObject=0x45c) returned 1 [0092.091] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.091] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0092.091] lstrlenW (lpString="desktop.ini") returned 11 [0092.091] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" [0092.091] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned 35 [0092.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini" [0092.091] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini" [0092.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0092.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0092.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0092.092] CreateFileMappingA (hFile=0x45c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x42c [0092.092] CryptAcquireContextA (in: phProv=0x101cfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x101cfce4*=0x5d19c0) returned 1 [0092.093] CryptGenKey (in: hProv=0x5d19c0, Algid=0x6610, dwFlags=0x1, phKey=0x101cfce0 | out: phKey=0x101cfce0*=0x108058c8) returned 1 [0092.093] CryptExportKey (in: hKey=0x108058c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x101cfbdc, pdwDataLen=0x101cfcdc | out: pbData=0x101cfbdc*, pdwDataLen=0x101cfcdc*=0x2c) returned 1 [0092.093] MapViewOfFile (hFileMappingObject=0x42c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0x64d0000 [0092.097] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x101cfbdc*, pdwDataLen=0x101cfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x101cfbdc*, pdwDataLen=0x101cfcf0*=0x100) returned 1 [0092.098] CryptEncrypt (in: hKey=0x108058c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64d0000*, pdwDataLen=0x101cfcdc*=0x1e0, dwBufLen=0x1e0 | out: pbData=0x64d0000*, pdwDataLen=0x101cfcdc*=0x1e0) returned 1 [0092.098] UnmapViewOfFile (lpBaseAddress=0x64d0000) returned 1 [0092.098] CloseHandle (hObject=0x42c) returned 1 [0092.098] CryptDestroyKey (hKey=0x108058c8) returned 1 [0092.098] CryptReleaseContext (hProv=0x5d19c0, dwFlags=0x0) returned 1 [0092.098] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.098] WriteFile (in: hFile=0x45c, lpBuffer=0x101cfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x101cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x101cfbdc*, lpNumberOfBytesWritten=0x101cfcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.105] WriteFile (in: hFile=0x45c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x101cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x101cfcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.105] CloseHandle (hObject=0x45c) returned 1 [0092.111] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.112] FindNextFileW (in: hFindFile=0x10805588, lpFindFileData=0x101cfd28 | out: lpFindFileData=0x101cfd28) returned 1 [0092.112] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" [0092.112] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned 35 [0092.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta" [0092.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\how to restore files.hta")) returned 0x1 [0092.112] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Desktop.lnk") returned 1 [0092.112] lstrlenW (lpString="Desktop.lnk") returned 11 [0092.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" [0092.112] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned 35 [0092.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="Desktop.lnk" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk" [0092.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk" [0092.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk id-Br3n0G72wUb8CejT.LyaS" [0092.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\desktop.lnk id-br3n0g72wub8cejt.lyas")) returned 1 [0092.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\desktop.lnk id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d0 [0092.308] CreateFileMappingA (hFile=0x4d0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4d4 [0092.308] CryptAcquireContextA (in: phProv=0x101cfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x101cfce4*=0x5d1938) returned 1 [0092.308] CryptGenKey (in: hProv=0x5d1938, Algid=0x6610, dwFlags=0x1, phKey=0x101cfce0 | out: phKey=0x101cfce0*=0x10804e48) returned 1 [0092.308] CryptExportKey (in: hKey=0x10804e48, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x101cfbdc, pdwDataLen=0x101cfcdc | out: pbData=0x101cfbdc*, pdwDataLen=0x101cfcdc*=0x2c) returned 1 [0092.309] MapViewOfFile (hFileMappingObject=0x4d4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200) returned 0x64e0000 [0092.311] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x101cfbdc*, pdwDataLen=0x101cfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x101cfbdc*, pdwDataLen=0x101cfcf0*=0x100) returned 1 [0092.312] CryptEncrypt (in: hKey=0x10804e48, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000*, pdwDataLen=0x101cfcdc*=0x200, dwBufLen=0x200 | out: pbData=0x64e0000*, pdwDataLen=0x101cfcdc*=0x200) returned 1 [0092.312] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0092.312] CloseHandle (hObject=0x4d4) returned 1 [0092.312] CryptDestroyKey (hKey=0x10804e48) returned 1 [0092.312] CryptReleaseContext (hProv=0x5d1938, dwFlags=0x0) returned 1 [0092.312] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.312] WriteFile (in: hFile=0x4d0, lpBuffer=0x101cfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x101cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x101cfbdc*, lpNumberOfBytesWritten=0x101cfcf0*=0x100, lpOverlapped=0x0) returned 1 [0093.970] WriteFile (in: hFile=0x4d0, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x101cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x101cfcf0*=0x500, lpOverlapped=0x0) returned 1 [0093.971] CloseHandle (hObject=0x4d0) returned 1 [0094.580] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.580] FindNextFileW (in: hFindFile=0x10805588, lpFindFileData=0x101cfd28 | out: lpFindFileData=0x101cfd28) returned 1 [0094.922] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" [0094.922] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned 35 [0094.922] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta" [0094.922] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\how to restore files.hta")) returned 0x1 [0097.234] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Downloads.lnk") returned 1 [0097.234] lstrlenW (lpString="Downloads.lnk") returned 13 [0097.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*" [0097.234] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\*.*") returned 35 [0097.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk" [0097.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk" [0097.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk id-Br3n0G72wUb8CejT.LyaS" [0097.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\downloads.lnk id-br3n0g72wub8cejt.lyas")) Thread: id = 232 os_tid = 0x7b8 [0091.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Local Settings\\*.*", lpFindFileData=0x1030fd28 | out: lpFindFileData=0x1030fd28) returned 0xffffffff Thread: id = 233 os_tid = 0xad4 [0091.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*", lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 0x10805748 [0091.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.508] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0091.508] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.508] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.508] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0091.508] lstrcmpW (lpString1=".", lpString2="9HgGbh_jCL6ZmFM") returned -1 [0091.508] lstrcmpW (lpString1="..", lpString2="9HgGbh_jCL6ZmFM") returned -1 [0091.508] lstrcmpiW (lpString1="windows", lpString2="9HgGbh_jCL6ZmFM") returned 1 [0091.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.508] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="9HgGbh_jCL6ZmFM" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM" [0091.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\*.*" [0091.508] GlobalMemoryStatus (in: lpBuffer=0x1044fd08 | out: lpBuffer=0x1044fd08) [0091.509] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ff20d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x414 [0091.509] CloseHandle (hObject=0x414) returned 1 [0091.509] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0091.509] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.509] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.509] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0091.509] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0xffffffff [0091.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0091.510] WriteFile (in: hFile=0x414, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1044fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.511] CloseHandle (hObject=0x414) returned 1 [0091.511] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.511] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0091.511] lstrlenW (lpString="desktop.ini") returned 11 [0091.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.511] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.511] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini" [0091.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini" [0091.512] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0091.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0091.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0091.513] CreateFileMappingA (hFile=0x414, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x418 [0091.513] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x5d0f20) returned 1 [0091.513] CryptGenKey (in: hProv=0x5d0f20, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x10805188) returned 1 [0091.513] CryptExportKey (in: hKey=0x10805188, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0091.513] MapViewOfFile (hFileMappingObject=0x418, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0xea30000 [0091.517] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0091.517] CryptEncrypt (in: hKey=0x10805188, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xea30000*, pdwDataLen=0x1044fcdc*=0x1e0, dwBufLen=0x1e0 | out: pbData=0xea30000*, pdwDataLen=0x1044fcdc*=0x1e0) returned 1 [0091.517] UnmapViewOfFile (lpBaseAddress=0xea30000) returned 1 [0091.517] CloseHandle (hObject=0x418) returned 1 [0091.517] CryptDestroyKey (hKey=0x10805188) returned 1 [0091.517] CryptReleaseContext (hProv=0x5d0f20, dwFlags=0x0) returned 1 [0091.517] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.517] WriteFile (in: hFile=0x414, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.522] WriteFile (in: hFile=0x414, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.523] CloseHandle (hObject=0x414) returned 1 [0091.524] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.524] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0091.524] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.524] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.524] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0091.524] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0091.524] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ESp7hzFp.wav") returned 1 [0091.525] lstrlenW (lpString="ESp7hzFp.wav") returned 12 [0091.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.525] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.525] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="ESp7hzFp.wav" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav" [0091.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav" [0091.525] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav id-Br3n0G72wUb8CejT.LyaS" [0091.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\esp7hzfp.wav"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\esp7hzfp.wav id-br3n0g72wub8cejt.lyas")) returned 1 [0091.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\esp7hzfp.wav id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0091.526] CreateFileMappingA (hFile=0x414, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x418 [0091.526] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x5d1938) returned 1 [0091.526] CryptGenKey (in: hProv=0x5d1938, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x10805248) returned 1 [0091.526] CryptExportKey (in: hKey=0x10805248, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0091.526] MapViewOfFile (hFileMappingObject=0x418, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16240) returned 0xea30000 [0091.529] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0091.529] CryptEncrypt (in: hKey=0x10805248, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xea30000, pdwDataLen=0x1044fcdc*=0x16240, dwBufLen=0x16240 | out: pbData=0xea30000*, pdwDataLen=0x1044fcdc*=0x16240) returned 1 [0091.530] UnmapViewOfFile (lpBaseAddress=0xea30000) returned 1 [0091.531] CloseHandle (hObject=0x418) returned 1 [0091.531] CryptDestroyKey (hKey=0x10805248) returned 1 [0091.531] CryptReleaseContext (hProv=0x5d1938, dwFlags=0x0) returned 1 [0091.531] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.531] WriteFile (in: hFile=0x414, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.531] WriteFile (in: hFile=0x414, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.531] CloseHandle (hObject=0x414) returned 1 [0091.534] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\ESp7hzFp.wav id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.535] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0091.535] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.535] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.535] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0091.535] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0091.535] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="JhZMle5-3.mp3") returned -1 [0091.536] lstrlenW (lpString="JhZMle5-3.mp3") returned 13 [0091.536] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.536] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.536] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="JhZMle5-3.mp3" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3" [0091.536] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3" [0091.536] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3 id-Br3n0G72wUb8CejT.LyaS" [0091.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\jhzmle5-3.mp3"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\jhzmle5-3.mp3 id-br3n0g72wub8cejt.lyas")) returned 1 [0091.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\jhzmle5-3.mp3 id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0091.537] CreateFileMappingA (hFile=0x414, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x418 [0091.537] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x5d17a0) returned 1 [0091.537] CryptGenKey (in: hProv=0x5d17a0, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x10805548) returned 1 [0091.537] CryptExportKey (in: hKey=0x10805548, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0091.537] MapViewOfFile (hFileMappingObject=0x418, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa3e0) returned 0xea30000 [0091.540] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0091.541] CryptEncrypt (in: hKey=0x10805548, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xea30000, pdwDataLen=0x1044fcdc*=0xa3e0, dwBufLen=0xa3e0 | out: pbData=0xea30000*, pdwDataLen=0x1044fcdc*=0xa3e0) returned 1 [0091.541] UnmapViewOfFile (lpBaseAddress=0xea30000) returned 1 [0091.542] CloseHandle (hObject=0x418) returned 1 [0091.542] CryptDestroyKey (hKey=0x10805548) returned 1 [0091.542] CryptReleaseContext (hProv=0x5d17a0, dwFlags=0x0) returned 1 [0091.542] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.542] WriteFile (in: hFile=0x414, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.542] WriteFile (in: hFile=0x414, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.542] CloseHandle (hObject=0x414) returned 1 [0091.544] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JhZMle5-3.mp3 id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.545] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0091.545] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.545] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.545] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0091.545] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0091.545] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="JjYoZpHYWTU.m4a") returned -1 [0091.545] lstrlenW (lpString="JjYoZpHYWTU.m4a") returned 15 [0091.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.545] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.545] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="JjYoZpHYWTU.m4a" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a" [0091.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a" [0091.545] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a id-Br3n0G72wUb8CejT.LyaS" [0091.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\jjyozphywtu.m4a"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\jjyozphywtu.m4a id-br3n0g72wub8cejt.lyas")) returned 1 [0091.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\jjyozphywtu.m4a id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0091.547] CreateFileMappingA (hFile=0x414, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x418 [0091.547] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x5d0f20) returned 1 [0091.547] CryptGenKey (in: hProv=0x5d0f20, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x108052c8) returned 1 [0091.547] CryptExportKey (in: hKey=0x108052c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0091.547] MapViewOfFile (hFileMappingObject=0x418, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15ee0) returned 0xea30000 [0091.550] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0091.550] CryptEncrypt (in: hKey=0x108052c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xea30000, pdwDataLen=0x1044fcdc*=0x15ee0, dwBufLen=0x15ee0 | out: pbData=0xea30000*, pdwDataLen=0x1044fcdc*=0x15ee0) returned 1 [0091.551] UnmapViewOfFile (lpBaseAddress=0xea30000) returned 1 [0091.551] CloseHandle (hObject=0x418) returned 1 [0091.552] CryptDestroyKey (hKey=0x108052c8) returned 1 [0091.552] CryptReleaseContext (hProv=0x5d0f20, dwFlags=0x0) returned 1 [0091.552] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.552] WriteFile (in: hFile=0x414, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.552] WriteFile (in: hFile=0x414, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.552] CloseHandle (hObject=0x414) returned 1 [0091.554] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\JjYoZpHYWTU.m4a id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.555] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0091.555] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.555] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.555] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0091.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0091.555] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="K5afBvaXQ17XKw.wav") returned -1 [0091.555] lstrlenW (lpString="K5afBvaXQ17XKw.wav") returned 18 [0091.555] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0091.555] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0091.555] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="K5afBvaXQ17XKw.wav" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav" [0091.555] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav" [0091.555] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav id-Br3n0G72wUb8CejT.LyaS" [0091.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\k5afbvaxq17xkw.wav"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\k5afbvaxq17xkw.wav id-br3n0g72wub8cejt.lyas")) returned 1 [0091.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\k5afbvaxq17xkw.wav id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0091.557] CreateFileMappingA (hFile=0x414, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x418 [0091.557] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x5d0f20) returned 1 [0091.557] CryptGenKey (in: hProv=0x5d0f20, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x10805508) returned 1 [0091.557] CryptExportKey (in: hKey=0x10805508, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0091.557] MapViewOfFile (hFileMappingObject=0x418, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15200) returned 0xea30000 [0093.258] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0093.258] CryptEncrypt (in: hKey=0x10805508, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xea30000, pdwDataLen=0x1044fcdc*=0x15200, dwBufLen=0x15200 | out: pbData=0xea30000*, pdwDataLen=0x1044fcdc*=0x15200) returned 1 [0094.154] UnmapViewOfFile (lpBaseAddress=0xea30000) returned 1 [0094.155] CloseHandle (hObject=0x418) returned 1 [0094.155] CryptDestroyKey (hKey=0x10805508) returned 1 [0094.155] CryptReleaseContext (hProv=0x5d0f20, dwFlags=0x0) returned 1 [0094.155] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.155] WriteFile (in: hFile=0x414, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.448] WriteFile (in: hFile=0x414, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.448] CloseHandle (hObject=0x414) returned 1 [0094.507] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\K5afBvaXQ17XKw.wav id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.507] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0095.354] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.354] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0095.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0095.355] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="M0FRaonJmV.m4a") returned -1 [0095.355] lstrlenW (lpString="M0FRaonJmV.m4a") returned 14 [0095.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.355] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="M0FRaonJmV.m4a" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a" [0095.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a" [0095.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a id-Br3n0G72wUb8CejT.LyaS" [0095.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\m0fraonjmv.m4a"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\m0fraonjmv.m4a id-br3n0g72wub8cejt.lyas")) returned 1 [0095.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\m0fraonjmv.m4a id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0095.436] CreateFileMappingA (hFile=0x28c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3ec [0095.437] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x1083d850) returned 1 [0095.437] CryptGenKey (in: hProv=0x1083d850, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x5c8c10) returned 1 [0095.437] CryptExportKey (in: hKey=0x5c8c10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0095.437] MapViewOfFile (hFileMappingObject=0x3ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15860) returned 0x4dc0000 [0095.441] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0095.441] CryptEncrypt (in: hKey=0x5c8c10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000, pdwDataLen=0x1044fcdc*=0x15860, dwBufLen=0x15860 | out: pbData=0x4dc0000*, pdwDataLen=0x1044fcdc*=0x15860) returned 1 [0095.442] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.443] CloseHandle (hObject=0x3ec) returned 1 [0095.443] CryptDestroyKey (hKey=0x5c8c10) returned 1 [0095.443] CryptReleaseContext (hProv=0x1083d850, dwFlags=0x0) returned 1 [0095.443] SetFilePointerEx (in: hFile=0x28c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.443] WriteFile (in: hFile=0x28c, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.443] WriteFile (in: hFile=0x28c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.443] CloseHandle (hObject=0x28c) returned 1 [0095.451] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\M0FRaonJmV.m4a id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.452] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0095.452] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.452] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.452] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0095.452] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0095.452] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="o61wIO ULs99.m4a") returned -1 [0095.452] lstrlenW (lpString="o61wIO ULs99.m4a") returned 16 [0095.452] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.452] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.452] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="o61wIO ULs99.m4a" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a" [0095.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a" [0095.453] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a id-Br3n0G72wUb8CejT.LyaS" [0095.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\o61wio uls99.m4a"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\o61wio uls99.m4a id-br3n0g72wub8cejt.lyas")) returned 1 [0095.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\o61wio uls99.m4a id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0095.454] CreateFileMappingA (hFile=0x28c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3ec [0095.455] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x1083cfd0) returned 1 [0095.456] CryptGenKey (in: hProv=0x1083cfd0, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x5c8510) returned 1 [0095.456] CryptExportKey (in: hKey=0x5c8510, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0095.456] MapViewOfFile (hFileMappingObject=0x3ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14080) returned 0x4dc0000 [0095.459] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0095.460] CryptEncrypt (in: hKey=0x5c8510, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000, pdwDataLen=0x1044fcdc*=0x14080, dwBufLen=0x14080 | out: pbData=0x4dc0000*, pdwDataLen=0x1044fcdc*=0x14080) returned 1 [0095.460] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.461] CloseHandle (hObject=0x3ec) returned 1 [0095.461] CryptDestroyKey (hKey=0x5c8510) returned 1 [0095.461] CryptReleaseContext (hProv=0x1083cfd0, dwFlags=0x0) returned 1 [0095.461] SetFilePointerEx (in: hFile=0x28c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.461] WriteFile (in: hFile=0x28c, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.461] WriteFile (in: hFile=0x28c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.462] CloseHandle (hObject=0x28c) returned 1 [0095.495] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\o61wIO ULs99.m4a id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.495] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0095.495] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.496] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0095.496] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0095.496] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="rR19YSzpNWbN5JSMbg.mp3") returned -1 [0095.496] lstrlenW (lpString="rR19YSzpNWbN5JSMbg.mp3") returned 22 [0095.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.496] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="rR19YSzpNWbN5JSMbg.mp3" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3" [0095.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3" [0095.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3 id-Br3n0G72wUb8CejT.LyaS" [0095.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\rr19yszpnwbn5jsmbg.mp3"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\rr19yszpnwbn5jsmbg.mp3 id-br3n0g72wub8cejt.lyas")) returned 1 [0095.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\rr19yszpnwbn5jsmbg.mp3 id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0095.497] CreateFileMappingA (hFile=0x28c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x454 [0095.497] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x1083d520) returned 1 [0095.498] CryptGenKey (in: hProv=0x1083d520, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x5c9310) returned 1 [0095.498] CryptExportKey (in: hKey=0x5c9310, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0095.498] MapViewOfFile (hFileMappingObject=0x454, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f20) returned 0x4dd0000 [0095.502] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0095.502] CryptEncrypt (in: hKey=0x5c9310, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000*, pdwDataLen=0x1044fcdc*=0x1f20, dwBufLen=0x1f20 | out: pbData=0x4dd0000*, pdwDataLen=0x1044fcdc*=0x1f20) returned 1 [0095.503] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.503] CloseHandle (hObject=0x454) returned 1 [0095.503] CryptDestroyKey (hKey=0x5c9310) returned 1 [0095.503] CryptReleaseContext (hProv=0x1083d520, dwFlags=0x0) returned 1 [0095.503] SetFilePointerEx (in: hFile=0x28c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.503] WriteFile (in: hFile=0x28c, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.504] WriteFile (in: hFile=0x28c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.504] CloseHandle (hObject=0x28c) returned 1 [0095.507] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\rR19YSzpNWbN5JSMbg.mp3 id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.507] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0095.508] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.508] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0095.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0095.508] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="SlQRk7s3j8.mp3") returned -1 [0095.508] lstrlenW (lpString="SlQRk7s3j8.mp3") returned 14 [0095.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.508] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="SlQRk7s3j8.mp3" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3" [0095.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3" [0095.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3 id-Br3n0G72wUb8CejT.LyaS" [0095.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\slqrk7s3j8.mp3"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\slqrk7s3j8.mp3 id-br3n0g72wub8cejt.lyas")) returned 1 [0095.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\slqrk7s3j8.mp3 id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0095.510] CreateFileMappingA (hFile=0x28c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x454 [0095.510] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x1083d9e8) returned 1 [0095.511] CryptGenKey (in: hProv=0x1083d9e8, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x5c8f10) returned 1 [0095.511] CryptExportKey (in: hKey=0x5c8f10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0095.511] MapViewOfFile (hFileMappingObject=0x454, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13f80) returned 0x4dd0000 [0095.516] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0095.516] CryptEncrypt (in: hKey=0x5c8f10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000, pdwDataLen=0x1044fcdc*=0x13f80, dwBufLen=0x13f80 | out: pbData=0x4dd0000*, pdwDataLen=0x1044fcdc*=0x13f80) returned 1 [0095.517] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.518] CloseHandle (hObject=0x454) returned 1 [0095.518] CryptDestroyKey (hKey=0x5c8f10) returned 1 [0095.518] CryptReleaseContext (hProv=0x1083d9e8, dwFlags=0x0) returned 1 [0095.518] SetFilePointerEx (in: hFile=0x28c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.518] WriteFile (in: hFile=0x28c, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.518] WriteFile (in: hFile=0x28c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.518] CloseHandle (hObject=0x28c) returned 1 [0095.521] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\SlQRk7s3j8.mp3 id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.522] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 1 [0095.522] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.522] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.522] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" [0095.522] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\how to restore files.hta")) returned 0x1 [0095.523] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="uV1Z3 xAZ39J3T.wav") returned -1 [0095.523] lstrlenW (lpString="uV1Z3 xAZ39J3T.wav") returned 18 [0095.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*" [0095.523] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\*.*") returned 35 [0095.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="uV1Z3 xAZ39J3T.wav" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav" [0095.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav" [0095.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav id-Br3n0G72wUb8CejT.LyaS" [0095.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\uv1z3 xaz39j3t.wav"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\uv1z3 xaz39j3t.wav id-br3n0g72wub8cejt.lyas")) returned 1 [0095.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\uv1z3 xaz39j3t.wav id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0096.357] CreateFileMappingA (hFile=0x470, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4ac [0096.357] CryptAcquireContextA (in: phProv=0x1044fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1044fce4*=0x1083d520) returned 1 [0096.358] CryptGenKey (in: hProv=0x1083d520, Algid=0x6610, dwFlags=0x1, phKey=0x1044fce0 | out: phKey=0x1044fce0*=0x5c8dd0) returned 1 [0096.358] CryptExportKey (in: hKey=0x5c8dd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1044fbdc, pdwDataLen=0x1044fcdc | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcdc*=0x2c) returned 1 [0096.358] MapViewOfFile (hFileMappingObject=0x4ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbc60) returned 0x30c0000 [0096.362] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1044fbdc*, pdwDataLen=0x1044fcf0*=0x100) returned 1 [0096.363] CryptEncrypt (in: hKey=0x5c8dd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30c0000, pdwDataLen=0x1044fcdc*=0xbc60, dwBufLen=0xbc60 | out: pbData=0x30c0000*, pdwDataLen=0x1044fcdc*=0xbc60) returned 1 [0096.363] UnmapViewOfFile (lpBaseAddress=0x30c0000) returned 1 [0096.364] CloseHandle (hObject=0x4ac) returned 1 [0096.364] CryptDestroyKey (hKey=0x5c8dd0) returned 1 [0096.364] CryptReleaseContext (hProv=0x1083d520, dwFlags=0x0) returned 1 [0096.364] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.364] WriteFile (in: hFile=0x470, lpBuffer=0x1044fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1044fbdc*, lpNumberOfBytesWritten=0x1044fcf0*=0x100, lpOverlapped=0x0) returned 1 [0096.612] WriteFile (in: hFile=0x470, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1044fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1044fcf0*=0x500, lpOverlapped=0x0) returned 1 [0096.612] CloseHandle (hObject=0x470) returned 1 [0096.614] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\uV1Z3 xAZ39J3T.wav id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0096.615] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x1044fd28 | out: lpFindFileData=0x1044fd28) returned 0 [0096.615] FindClose (in: hFindFile=0x10805748 | out: hFindFile=0x10805748) returned 1 Thread: id = 234 os_tid = 0xa6c [0091.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*.*", lpFindFileData=0x1058fd28 | out: lpFindFileData=0x1058fd28) returned 0xffffffff Thread: id = 235 os_tid = 0xa70 [0091.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*.*", lpFindFileData=0x1169fd28 | out: lpFindFileData=0x1169fd28) returned 0xffffffff Thread: id = 236 os_tid = 0x710 [0091.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*", lpFindFileData=0x117dfd28 | out: lpFindFileData=0x117dfd28) returned 0x10805788 [0091.574] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.574] FindNextFileW (in: hFindFile=0x10805788, lpFindFileData=0x117dfd28 | out: lpFindFileData=0x117dfd28) returned 1 [0091.574] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.574] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.574] FindNextFileW (in: hFindFile=0x10805788, lpFindFileData=0x117dfd28 | out: lpFindFileData=0x117dfd28) returned 1 [0091.574] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*" [0091.574] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*") returned 38 [0091.574] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\How To Restore Files.hta" [0091.574] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\how to restore files.hta")) returned 0xffffffff [0091.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x41c [0091.575] WriteFile (in: hFile=0x41c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x117dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x117dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.576] CloseHandle (hObject=0x41c) returned 1 [0091.576] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.576] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0091.576] lstrlenW (lpString="desktop.ini") returned 11 [0091.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*" [0091.577] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*.*") returned 38 [0091.577] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini" [0091.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini" [0091.577] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0091.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0091.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x41c [0091.577] CreateFileMappingA (hFile=0x41c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x420 [0091.578] CryptAcquireContextA (in: phProv=0x117dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x117dfce4*=0x5d12d8) returned 1 [0091.578] CryptGenKey (in: hProv=0x5d12d8, Algid=0x6610, dwFlags=0x1, phKey=0x117dfce0 | out: phKey=0x117dfce0*=0x108052c8) returned 1 [0091.578] CryptExportKey (in: hKey=0x108052c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x117dfbdc, pdwDataLen=0x117dfcdc | out: pbData=0x117dfbdc*, pdwDataLen=0x117dfcdc*=0x2c) returned 1 [0091.578] MapViewOfFile (hFileMappingObject=0x420, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x60) returned 0xd8d0000 [0091.581] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x117dfbdc*, pdwDataLen=0x117dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x117dfbdc*, pdwDataLen=0x117dfcf0*=0x100) returned 1 [0091.581] CryptEncrypt (in: hKey=0x108052c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xd8d0000*, pdwDataLen=0x117dfcdc*=0x60, dwBufLen=0x60 | out: pbData=0xd8d0000*, pdwDataLen=0x117dfcdc*=0x60) returned 1 [0091.581] UnmapViewOfFile (lpBaseAddress=0xd8d0000) returned 1 [0091.581] CloseHandle (hObject=0x420) returned 1 [0091.582] CryptDestroyKey (hKey=0x108052c8) returned 1 [0091.582] CryptReleaseContext (hProv=0x5d12d8, dwFlags=0x0) returned 1 [0091.582] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.582] WriteFile (in: hFile=0x41c, lpBuffer=0x117dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x117dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x117dfbdc*, lpNumberOfBytesWritten=0x117dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.582] WriteFile (in: hFile=0x41c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x117dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x117dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.755] CloseHandle (hObject=0x41c) returned 1 [0091.756] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.757] FindNextFileW (in: hFindFile=0x10805788, lpFindFileData=0x117dfd28 | out: lpFindFileData=0x117dfd28) returned 0 [0091.757] FindClose (in: hFindFile=0x10805788 | out: hFindFile=0x10805788) returned 1 Thread: id = 237 os_tid = 0xa8c [0091.587] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*", lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 0x108057c8 [0091.587] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.587] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0091.587] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.587] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.587] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0091.587] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0091.587] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0091.587] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" [0091.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\how to restore files.hta")) returned 0xffffffff [0091.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0091.758] WriteFile (in: hFile=0x3c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1191fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.759] CloseHandle (hObject=0x3c0) returned 1 [0091.759] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.760] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="6VPPhG1IT3F2Zg-.bmp") returned 1 [0091.760] lstrlenW (lpString="6VPPhG1IT3F2Zg-.bmp") returned 19 [0091.760] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0091.760] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0091.760] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="6VPPhG1IT3F2Zg-.bmp" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp" [0091.760] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp" [0091.760] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp id-Br3n0G72wUb8CejT.LyaS" [0091.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\6vpphg1it3f2zg-.bmp"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\6vpphg1it3f2zg-.bmp id-br3n0g72wub8cejt.lyas")) returned 1 [0091.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\6vpphg1it3f2zg-.bmp id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0091.761] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x41c [0091.761] CryptAcquireContextA (in: phProv=0x1191fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1191fce4*=0x5d14f8) returned 1 [0091.761] CryptGenKey (in: hProv=0x5d14f8, Algid=0x6610, dwFlags=0x1, phKey=0x1191fce0 | out: phKey=0x1191fce0*=0x108054c8) returned 1 [0091.761] CryptExportKey (in: hKey=0x108054c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1191fbdc, pdwDataLen=0x1191fcdc | out: pbData=0x1191fbdc*, pdwDataLen=0x1191fcdc*=0x2c) returned 1 [0091.761] MapViewOfFile (hFileMappingObject=0x41c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14120) returned 0x11660000 [0091.764] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1191fbdc*, pdwDataLen=0x1191fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1191fbdc*, pdwDataLen=0x1191fcf0*=0x100) returned 1 [0091.764] CryptEncrypt (in: hKey=0x108054c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x11660000, pdwDataLen=0x1191fcdc*=0x14120, dwBufLen=0x14120 | out: pbData=0x11660000*, pdwDataLen=0x1191fcdc*=0x14120) returned 1 [0091.765] UnmapViewOfFile (lpBaseAddress=0x11660000) returned 1 [0091.765] CloseHandle (hObject=0x41c) returned 1 [0091.765] CryptDestroyKey (hKey=0x108054c8) returned 1 [0091.766] CryptReleaseContext (hProv=0x5d14f8, dwFlags=0x0) returned 1 [0091.766] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.766] WriteFile (in: hFile=0x3c0, lpBuffer=0x1191fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1191fbdc*, lpNumberOfBytesWritten=0x1191fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.766] WriteFile (in: hFile=0x3c0, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1191fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.766] CloseHandle (hObject=0x3c0) returned 1 [0091.768] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\6VPPhG1IT3F2Zg-.bmp id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.768] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0091.769] lstrcmpW (lpString1=".", lpString2="Camera Roll") returned -1 [0091.769] lstrcmpW (lpString1="..", lpString2="Camera Roll") returned -1 [0091.769] lstrcmpiW (lpString1="windows", lpString2="Camera Roll") returned 1 [0091.769] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0091.769] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0091.769] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="Camera Roll" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll" [0091.769] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*.*" [0091.769] GlobalMemoryStatus (in: lpBuffer=0x1191fd08 | out: lpBuffer=0x1191fd08) [0091.769] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c0 [0091.770] CloseHandle (hObject=0x3c0) returned 1 [0091.770] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0091.770] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0091.770] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0091.770] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" [0091.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\how to restore files.hta")) returned 0x1 [0091.770] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0091.770] lstrlenW (lpString="desktop.ini") returned 11 [0091.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0091.770] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0091.770] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini" [0091.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini" [0091.770] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0091.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0091.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0091.771] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x41c [0091.771] CryptAcquireContextA (in: phProv=0x1191fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1191fce4*=0x5d13e8) returned 1 [0091.772] CryptGenKey (in: hProv=0x5d13e8, Algid=0x6610, dwFlags=0x1, phKey=0x1191fce0 | out: phKey=0x1191fce0*=0x10805348) returned 1 [0091.772] CryptExportKey (in: hKey=0x10805348, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1191fbdc, pdwDataLen=0x1191fcdc | out: pbData=0x1191fbdc*, pdwDataLen=0x1191fcdc*=0x2c) returned 1 [0091.772] MapViewOfFile (hFileMappingObject=0x41c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0x117a0000 [0091.776] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1191fbdc*, pdwDataLen=0x1191fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1191fbdc*, pdwDataLen=0x1191fcf0*=0x100) returned 1 [0091.777] CryptEncrypt (in: hKey=0x10805348, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x117a0000*, pdwDataLen=0x1191fcdc*=0x1e0, dwBufLen=0x1e0 | out: pbData=0x117a0000*, pdwDataLen=0x1191fcdc*=0x1e0) returned 1 [0091.777] UnmapViewOfFile (lpBaseAddress=0x117a0000) returned 1 [0091.777] CloseHandle (hObject=0x41c) returned 1 [0091.777] CryptDestroyKey (hKey=0x10805348) returned 1 [0091.777] CryptReleaseContext (hProv=0x5d13e8, dwFlags=0x0) returned 1 [0091.777] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.777] WriteFile (in: hFile=0x3c0, lpBuffer=0x1191fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1191fbdc*, lpNumberOfBytesWritten=0x1191fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.886] WriteFile (in: hFile=0x3c0, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1191fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.886] CloseHandle (hObject=0x3c0) returned 1 [0091.887] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.022] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0092.023] lstrcpyW (in: lpString1=0x66cf80, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0092.023] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0092.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" [0092.023] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\how to restore files.hta")) returned 0x1 [0092.023] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="LGn3zp_fF2XhsytW9iY.png") returned -1 [0092.023] lstrlenW (lpString="LGn3zp_fF2XhsytW9iY.png") returned 23 [0092.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0092.023] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0092.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="LGn3zp_fF2XhsytW9iY.png" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png" [0092.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png" [0092.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png id-Br3n0G72wUb8CejT.LyaS" [0092.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\lgn3zp_ff2xhsytw9iy.png"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\lgn3zp_ff2xhsytw9iy.png id-br3n0g72wub8cejt.lyas")) returned 1 [0092.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\lgn3zp_ff2xhsytw9iy.png id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b0 [0092.024] CreateFileMappingA (hFile=0x4b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4b4 [0092.024] CryptAcquireContextA (in: phProv=0x1191fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1191fce4*=0x5d19c0) returned 1 [0092.025] CryptGenKey (in: hProv=0x5d19c0, Algid=0x6610, dwFlags=0x1, phKey=0x1191fce0 | out: phKey=0x1191fce0*=0x10804988) returned 1 [0092.025] CryptExportKey (in: hKey=0x10804988, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1191fbdc, pdwDataLen=0x1191fcdc | out: pbData=0x1191fbdc*, pdwDataLen=0x1191fcdc*=0x2c) returned 1 [0092.025] MapViewOfFile (hFileMappingObject=0x4b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa180) returned 0x5210000 [0092.027] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1191fbdc*, pdwDataLen=0x1191fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1191fbdc*, pdwDataLen=0x1191fcf0*=0x100) returned 1 [0092.027] CryptEncrypt (in: hKey=0x10804988, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x5210000, pdwDataLen=0x1191fcdc*=0xa180, dwBufLen=0xa180 | out: pbData=0x5210000*, pdwDataLen=0x1191fcdc*=0xa180) returned 1 [0092.027] UnmapViewOfFile (lpBaseAddress=0x5210000) returned 1 [0092.028] CloseHandle (hObject=0x4b4) returned 1 [0092.028] CryptDestroyKey (hKey=0x10804988) returned 1 [0092.028] CryptReleaseContext (hProv=0x5d19c0, dwFlags=0x0) returned 1 [0092.028] SetFilePointerEx (in: hFile=0x4b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.028] WriteFile (in: hFile=0x4b0, lpBuffer=0x1191fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1191fbdc*, lpNumberOfBytesWritten=0x1191fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.028] WriteFile (in: hFile=0x4b0, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1191fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.029] CloseHandle (hObject=0x4b0) returned 1 [0092.037] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\LGn3zp_fF2XhsytW9iY.png id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.038] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0092.038] lstrcmpW (lpString1=".", lpString2="Saved Pictures") returned -1 [0092.038] lstrcmpW (lpString1="..", lpString2="Saved Pictures") returned -1 [0092.038] lstrcmpiW (lpString1="windows", lpString2="Saved Pictures") returned 1 [0092.040] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0092.040] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0092.040] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="Saved Pictures" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures" [0092.041] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*.*" [0092.041] GlobalMemoryStatus (in: lpBuffer=0x1191fd08 | out: lpBuffer=0x1191fd08) [0092.041] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x112bb4a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b0 [0092.041] CloseHandle (hObject=0x4b0) returned 1 [0092.041] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0092.041] lstrcmpW (lpString1=".", lpString2="SKWQ hcEu5") returned -1 [0092.041] lstrcmpW (lpString1="..", lpString2="SKWQ hcEu5") returned -1 [0092.041] lstrcmpiW (lpString1="windows", lpString2="SKWQ hcEu5") returned 1 [0092.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0092.044] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0092.044] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="SKWQ hcEu5" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5" [0092.044] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*" [0092.044] GlobalMemoryStatus (in: lpBuffer=0x1191fd08 | out: lpBuffer=0x1191fd08) [0092.044] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x112d3508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b0 [0092.045] CloseHandle (hObject=0x4b0) returned 1 [0092.045] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0092.045] lstrcpyW (in: lpString1=0x66cf80, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0092.045] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0092.045] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" [0092.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\how to restore files.hta")) returned 0x1 [0092.045] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sm_xgLw3u40OkI.jpg") returned -1 [0092.046] lstrlenW (lpString="sm_xgLw3u40OkI.jpg") returned 18 [0092.046] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0092.046] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0092.046] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="sm_xgLw3u40OkI.jpg" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg" [0092.046] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg" [0092.046] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg id-Br3n0G72wUb8CejT.LyaS" [0092.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\sm_xglw3u40oki.jpg"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\sm_xglw3u40oki.jpg id-br3n0g72wub8cejt.lyas")) returned 1 [0092.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\sm_xglw3u40oki.jpg id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b0 [0092.047] CreateFileMappingA (hFile=0x4b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4b4 [0092.047] CryptAcquireContextA (in: phProv=0x1191fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1191fce4*=0x5d19c0) returned 1 [0092.048] CryptGenKey (in: hProv=0x5d19c0, Algid=0x6610, dwFlags=0x1, phKey=0x1191fce0 | out: phKey=0x1191fce0*=0x10804e48) returned 1 [0092.048] CryptExportKey (in: hKey=0x10804e48, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1191fbdc, pdwDataLen=0x1191fcdc | out: pbData=0x1191fbdc*, pdwDataLen=0x1191fcdc*=0x2c) returned 1 [0092.048] MapViewOfFile (hFileMappingObject=0x4b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16da0) returned 0x5710000 [0092.050] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1191fbdc*, pdwDataLen=0x1191fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1191fbdc*, pdwDataLen=0x1191fcf0*=0x100) returned 1 [0092.050] CryptEncrypt (in: hKey=0x10804e48, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x5710000, pdwDataLen=0x1191fcdc*=0x16da0, dwBufLen=0x16da0 | out: pbData=0x5710000*, pdwDataLen=0x1191fcdc*=0x16da0) returned 1 [0092.051] UnmapViewOfFile (lpBaseAddress=0x5710000) returned 1 [0092.051] CloseHandle (hObject=0x4b4) returned 1 [0092.051] CryptDestroyKey (hKey=0x10804e48) returned 1 [0092.052] CryptReleaseContext (hProv=0x5d19c0, dwFlags=0x0) returned 1 [0092.052] SetFilePointerEx (in: hFile=0x4b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.052] WriteFile (in: hFile=0x4b0, lpBuffer=0x1191fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1191fbdc*, lpNumberOfBytesWritten=0x1191fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.052] WriteFile (in: hFile=0x4b0, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1191fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1191fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.052] CloseHandle (hObject=0x4b0) returned 1 [0092.054] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\sm_xgLw3u40OkI.jpg id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.055] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 1 [0092.055] lstrcmpW (lpString1=".", lpString2="u8JA") returned -1 [0092.055] lstrcmpW (lpString1="..", lpString2="u8JA") returned -1 [0092.055] lstrcmpiW (lpString1="windows", lpString2="u8JA") returned 1 [0092.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*" [0092.058] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*.*") returned 38 [0092.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="u8JA" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA" [0092.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\*.*" [0092.058] GlobalMemoryStatus (in: lpBuffer=0x1191fd08 | out: lpBuffer=0x1191fd08) [0092.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x112eb570, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b0 [0092.058] CloseHandle (hObject=0x4b0) returned 1 [0092.058] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1191fd28 | out: lpFindFileData=0x1191fd28) returned 0 [0092.058] FindClose (in: hFindFile=0x108057c8 | out: hFindFile=0x108057c8) returned 1 Thread: id = 238 os_tid = 0x414 [0091.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*.*", lpFindFileData=0x11a5fd28 | out: lpFindFileData=0x11a5fd28) returned 0xffffffff Thread: id = 239 os_tid = 0x9ec [0091.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Recent\\*.*", lpFindFileData=0x11b9fd28 | out: lpFindFileData=0x11b9fd28) returned 0xffffffff Thread: id = 240 os_tid = 0x804 [0091.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*", lpFindFileData=0x11cdfd28 | out: lpFindFileData=0x11cdfd28) returned 0x10805908 [0091.615] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.615] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x11cdfd28 | out: lpFindFileData=0x11cdfd28) returned 1 [0091.615] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.615] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.615] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x11cdfd28 | out: lpFindFileData=0x11cdfd28) returned 1 [0091.615] lstrcpyW (in: lpString1=0x5d78fe0, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*" [0091.615] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*") returned 41 [0091.615] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\How To Restore Files.hta" [0091.615] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\how to restore files.hta")) returned 0xffffffff [0091.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0091.843] WriteFile (in: hFile=0x46c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x11cdfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x11cdfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.844] CloseHandle (hObject=0x46c) returned 1 [0091.845] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.845] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0091.845] lstrlenW (lpString="desktop.ini") returned 11 [0091.845] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*" [0091.845] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*.*") returned 41 [0091.845] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini" [0091.845] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini" [0091.845] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0091.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0091.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0091.846] CreateFileMappingA (hFile=0x46c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x470 [0091.847] CryptAcquireContextA (in: phProv=0x11cdfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x11cdfce4*=0x5d14f8) returned 1 [0091.848] CryptGenKey (in: hProv=0x5d14f8, Algid=0x6610, dwFlags=0x1, phKey=0x11cdfce0 | out: phKey=0x11cdfce0*=0x10805548) returned 1 [0091.848] CryptExportKey (in: hKey=0x10805548, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x11cdfbdc, pdwDataLen=0x11cdfcdc | out: pbData=0x11cdfbdc*, pdwDataLen=0x11cdfcdc*=0x2c) returned 1 [0091.848] MapViewOfFile (hFileMappingObject=0x470, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x11b70000 [0091.854] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x11cdfbdc*, pdwDataLen=0x11cdfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x11cdfbdc*, pdwDataLen=0x11cdfcf0*=0x100) returned 1 [0091.855] CryptEncrypt (in: hKey=0x10805548, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x11b70000*, pdwDataLen=0x11cdfcdc*=0x100, dwBufLen=0x100 | out: pbData=0x11b70000*, pdwDataLen=0x11cdfcdc*=0x100) returned 1 [0091.855] UnmapViewOfFile (lpBaseAddress=0x11b70000) returned 1 [0091.855] CloseHandle (hObject=0x470) returned 1 [0091.855] CryptDestroyKey (hKey=0x10805548) returned 1 [0091.855] CryptReleaseContext (hProv=0x5d14f8, dwFlags=0x0) returned 1 [0091.855] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.856] WriteFile (in: hFile=0x46c, lpBuffer=0x11cdfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x11cdfcf0, lpOverlapped=0x0 | out: lpBuffer=0x11cdfbdc*, lpNumberOfBytesWritten=0x11cdfcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.858] WriteFile (in: hFile=0x46c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x11cdfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x11cdfcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.904] CloseHandle (hObject=0x46c) returned 1 [0091.911] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0093.277] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x11cdfd28 | out: lpFindFileData=0x11cdfd28) returned 0 [0093.277] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 241 os_tid = 0x504 [0091.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*", lpFindFileData=0x11e1fd28 | out: lpFindFileData=0x11e1fd28) returned 0x10805808 [0091.601] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.601] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x11e1fd28 | out: lpFindFileData=0x11e1fd28) returned 1 [0091.601] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.602] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.602] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x11e1fd28 | out: lpFindFileData=0x11e1fd28) returned 1 [0091.602] lstrcpyW (in: lpString1=0x3e08390, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" [0091.602] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned 38 [0091.602] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta" [0091.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\how to restore files.hta")) returned 0xffffffff [0091.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0091.789] WriteFile (in: hFile=0x44c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x11e1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x11e1fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.790] CloseHandle (hObject=0x44c) returned 1 [0091.791] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.791] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0091.791] lstrlenW (lpString="desktop.ini") returned 11 [0091.791] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" [0091.791] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned 38 [0091.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini" [0091.791] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini" [0091.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0091.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0091.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0091.792] CreateFileMappingA (hFile=0x44c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x450 [0091.792] CryptAcquireContextA (in: phProv=0x11e1fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x11e1fce4*=0x5d14f8) returned 1 [0091.793] CryptGenKey (in: hProv=0x5d14f8, Algid=0x6610, dwFlags=0x1, phKey=0x11e1fce0 | out: phKey=0x11e1fce0*=0x10805548) returned 1 [0091.793] CryptExportKey (in: hKey=0x10805548, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x11e1fbdc, pdwDataLen=0x11e1fcdc | out: pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcdc*=0x2c) returned 1 [0091.793] MapViewOfFile (hFileMappingObject=0x450, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200) returned 0x11a20000 [0091.796] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcf0*=0x100) returned 1 [0091.797] CryptEncrypt (in: hKey=0x10805548, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x11a20000*, pdwDataLen=0x11e1fcdc*=0x200, dwBufLen=0x200 | out: pbData=0x11a20000*, pdwDataLen=0x11e1fcdc*=0x200) returned 1 [0091.797] UnmapViewOfFile (lpBaseAddress=0x11a20000) returned 1 [0091.797] CloseHandle (hObject=0x450) returned 1 [0091.797] CryptDestroyKey (hKey=0x10805548) returned 1 [0091.797] CryptReleaseContext (hProv=0x5d14f8, dwFlags=0x0) returned 1 [0091.797] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.797] WriteFile (in: hFile=0x44c, lpBuffer=0x11e1fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x11e1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x11e1fbdc*, lpNumberOfBytesWritten=0x11e1fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.892] WriteFile (in: hFile=0x44c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x11e1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x11e1fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.893] CloseHandle (hObject=0x44c) returned 1 [0091.894] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0093.275] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x11e1fd28 | out: lpFindFileData=0x11e1fd28) returned 1 [0094.128] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" [0094.128] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned 38 [0094.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta" [0094.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\how to restore files.hta")) returned 0x1 [0094.128] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Everywhere.search-ms") returned 1 [0094.128] lstrlenW (lpString="Everywhere.search-ms") returned 20 [0094.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" [0094.128] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned 38 [0094.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms" [0094.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms" [0094.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms id-Br3n0G72wUb8CejT.LyaS" [0094.129] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 1 [0094.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\everywhere.search-ms id-br3n0g72wub8cejt.lyas")) returned 1 [0094.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\everywhere.search-ms id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0094.541] CreateFileMappingA (hFile=0x30c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x28c [0094.541] CryptAcquireContextA (in: phProv=0x11e1fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x11e1fce4*=0x1083cf48) returned 1 [0095.326] CryptGenKey (in: hProv=0x1083cf48, Algid=0x6610, dwFlags=0x1, phKey=0x11e1fce0 | out: phKey=0x11e1fce0*=0x5c8f10) returned 1 [0095.326] CryptExportKey (in: hKey=0x5c8f10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x11e1fbdc, pdwDataLen=0x11e1fcdc | out: pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcdc*=0x2c) returned 1 [0095.326] MapViewOfFile (hFileMappingObject=0x28c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe0) returned 0x4dc0000 [0095.332] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcf0*=0x100) returned 1 [0095.333] CryptEncrypt (in: hKey=0x5c8f10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000*, pdwDataLen=0x11e1fcdc*=0xe0, dwBufLen=0xe0 | out: pbData=0x4dc0000*, pdwDataLen=0x11e1fcdc*=0xe0) returned 1 [0095.333] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.333] CloseHandle (hObject=0x28c) returned 1 [0095.333] CryptDestroyKey (hKey=0x5c8f10) returned 1 [0095.333] CryptReleaseContext (hProv=0x1083cf48, dwFlags=0x0) returned 1 [0095.333] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.333] WriteFile (in: hFile=0x30c, lpBuffer=0x11e1fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x11e1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x11e1fbdc*, lpNumberOfBytesWritten=0x11e1fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.334] WriteFile (in: hFile=0x30c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x11e1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x11e1fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.363] CloseHandle (hObject=0x30c) returned 1 [0095.414] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.415] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x11e1fd28 | out: lpFindFileData=0x11e1fd28) returned 1 [0095.415] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" [0095.415] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned 38 [0095.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta" [0095.415] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\how to restore files.hta")) returned 0x1 [0095.415] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Indexed Locations.search-ms") returned -1 [0095.415] lstrlenW (lpString="Indexed Locations.search-ms") returned 27 [0095.415] lstrcmpiW (lpString1=".LyaS", lpString2="ch-ms") returned -1 [0095.415] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*" [0095.415] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\*.*") returned 38 [0095.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms" [0095.415] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms" [0095.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms id-Br3n0G72wUb8CejT.LyaS" [0095.415] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x80) returned 1 [0095.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\indexed locations.search-ms id-br3n0g72wub8cejt.lyas")) returned 1 [0095.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\indexed locations.search-ms id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0095.417] CreateFileMappingA (hFile=0x344, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x408 [0095.417] CryptAcquireContextA (in: phProv=0x11e1fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x11e1fce4*=0x1083d9e8) returned 1 [0095.417] CryptGenKey (in: hProv=0x1083d9e8, Algid=0x6610, dwFlags=0x1, phKey=0x11e1fce0 | out: phKey=0x11e1fce0*=0x5c8710) returned 1 [0095.417] CryptExportKey (in: hKey=0x5c8710, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x11e1fbdc, pdwDataLen=0x11e1fcdc | out: pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcdc*=0x2c) returned 1 [0095.417] MapViewOfFile (hFileMappingObject=0x408, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe0) returned 0x4dc0000 [0095.427] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x11e1fbdc*, pdwDataLen=0x11e1fcf0*=0x100) returned 1 [0095.427] CryptEncrypt (in: hKey=0x5c8710, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000*, pdwDataLen=0x11e1fcdc*=0xe0, dwBufLen=0xe0 | out: pbData=0x4dc0000*, pdwDataLen=0x11e1fcdc*=0xe0) returned 1 [0095.427] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.428] CloseHandle (hObject=0x408) returned 1 [0095.428] CryptDestroyKey (hKey=0x5c8710) returned 1 [0095.428] CryptReleaseContext (hProv=0x1083d9e8, dwFlags=0x0) returned 1 [0095.428] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.428] WriteFile (in: hFile=0x344, lpBuffer=0x11e1fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x11e1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x11e1fbdc*, lpNumberOfBytesWritten=0x11e1fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.429] WriteFile (in: hFile=0x344, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x11e1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x11e1fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.432] CloseHandle (hObject=0x344) returned 1 [0095.435] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.435] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x11e1fd28 | out: lpFindFileData=0x11e1fd28) returned 0 [0095.435] FindClose (in: hFindFile=0x10805808 | out: hFindFile=0x10805808) returned 1 Thread: id = 242 os_tid = 0x454 [0091.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*.*", lpFindFileData=0x11f5fd28 | out: lpFindFileData=0x11f5fd28) returned 0xffffffff Thread: id = 243 os_tid = 0x278 [0091.604] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*.*", lpFindFileData=0x1209fd28 | out: lpFindFileData=0x1209fd28) returned 0xffffffff Thread: id = 244 os_tid = 0x368 [0091.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Templates\\*.*", lpFindFileData=0x121dfd28 | out: lpFindFileData=0x121dfd28) returned 0xffffffff Thread: id = 245 os_tid = 0x270 [0091.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*", lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 0x10805848 [0091.609] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.609] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 1 [0091.609] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.609] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.609] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 1 [0091.609] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0091.609] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0091.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" [0091.609] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\how to restore files.hta")) returned 0xffffffff [0091.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0091.810] WriteFile (in: hFile=0x460, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1231fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.811] CloseHandle (hObject=0x460) returned 1 [0091.812] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.812] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="60D7E9F.avi") returned 1 [0091.812] lstrlenW (lpString="60D7E9F.avi") returned 11 [0091.812] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0091.812] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0091.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="60D7E9F.avi" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi" [0091.812] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi" [0091.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi id-Br3n0G72wUb8CejT.LyaS" [0091.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\60d7e9f.avi"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\60d7e9f.avi id-br3n0g72wub8cejt.lyas")) returned 1 [0091.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\60d7e9f.avi id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0091.813] CreateFileMappingA (hFile=0x460, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x464 [0091.813] CryptAcquireContextA (in: phProv=0x1231fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1231fce4*=0x5d14f8) returned 1 [0091.814] CryptGenKey (in: hProv=0x5d14f8, Algid=0x6610, dwFlags=0x1, phKey=0x1231fce0 | out: phKey=0x1231fce0*=0x10805688) returned 1 [0091.814] CryptExportKey (in: hKey=0x10805688, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1231fbdc, pdwDataLen=0x1231fcdc | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcdc*=0x2c) returned 1 [0091.814] MapViewOfFile (hFileMappingObject=0x464, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8800) returned 0x11b60000 [0091.816] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x100) returned 1 [0091.817] CryptEncrypt (in: hKey=0x10805688, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x11b60000, pdwDataLen=0x1231fcdc*=0x8800, dwBufLen=0x8800 | out: pbData=0x11b60000*, pdwDataLen=0x1231fcdc*=0x8800) returned 1 [0091.817] UnmapViewOfFile (lpBaseAddress=0x11b60000) returned 1 [0091.817] CloseHandle (hObject=0x464) returned 1 [0091.817] CryptDestroyKey (hKey=0x10805688) returned 1 [0091.817] CryptReleaseContext (hProv=0x5d14f8, dwFlags=0x0) returned 1 [0091.817] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.817] WriteFile (in: hFile=0x460, lpBuffer=0x1231fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1231fbdc*, lpNumberOfBytesWritten=0x1231fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.818] WriteFile (in: hFile=0x460, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1231fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.818] CloseHandle (hObject=0x460) returned 1 [0091.819] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\60D7E9F.avi id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0091.820] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 1 [0091.820] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0091.820] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0091.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" [0091.820] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\how to restore files.hta")) returned 0x1 [0091.820] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0091.820] lstrlenW (lpString="desktop.ini") returned 11 [0091.820] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0091.820] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0091.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini" [0091.820] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini" [0091.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0091.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0091.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0091.821] CreateFileMappingA (hFile=0x460, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x464 [0091.821] CryptAcquireContextA (in: phProv=0x1231fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1231fce4*=0x5d13e8) returned 1 [0091.822] CryptGenKey (in: hProv=0x5d13e8, Algid=0x6610, dwFlags=0x1, phKey=0x1231fce0 | out: phKey=0x1231fce0*=0x108054c8) returned 1 [0091.822] CryptExportKey (in: hKey=0x108054c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1231fbdc, pdwDataLen=0x1231fcdc | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcdc*=0x2c) returned 1 [0091.822] MapViewOfFile (hFileMappingObject=0x464, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0x11b60000 [0091.824] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x100) returned 1 [0091.825] CryptEncrypt (in: hKey=0x108054c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x11b60000*, pdwDataLen=0x1231fcdc*=0x1e0, dwBufLen=0x1e0 | out: pbData=0x11b60000*, pdwDataLen=0x1231fcdc*=0x1e0) returned 1 [0091.825] UnmapViewOfFile (lpBaseAddress=0x11b60000) returned 1 [0091.825] CloseHandle (hObject=0x464) returned 1 [0091.825] CryptDestroyKey (hKey=0x108054c8) returned 1 [0091.825] CryptReleaseContext (hProv=0x5d13e8, dwFlags=0x0) returned 1 [0091.825] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.826] WriteFile (in: hFile=0x460, lpBuffer=0x1231fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1231fbdc*, lpNumberOfBytesWritten=0x1231fcf0*=0x100, lpOverlapped=0x0) returned 1 [0091.900] WriteFile (in: hFile=0x460, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1231fcf0*=0x500, lpOverlapped=0x0) returned 1 [0091.900] CloseHandle (hObject=0x460) returned 1 [0091.901] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0093.276] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 1 [0093.276] lstrcmpW (lpString1=".", lpString2="GL0fbfE") returned -1 [0093.276] lstrcmpW (lpString1="..", lpString2="GL0fbfE") returned -1 [0093.276] lstrcmpiW (lpString1="windows", lpString2="GL0fbfE") returned 1 [0094.121] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0094.121] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0094.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="GL0fbfE" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\GL0fbfE") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\GL0fbfE" [0094.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\GL0fbfE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\GL0fbfE\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\GL0fbfE\\*.*" [0094.121] GlobalMemoryStatus (in: lpBuffer=0x1231fd08 | out: lpBuffer=0x1231fd08) [0094.121] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x107e88e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0094.122] CloseHandle (hObject=0x388) returned 1 [0094.122] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 1 [0094.122] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0094.122] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0094.122] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" [0094.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\how to restore files.hta")) returned 0x1 [0094.122] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mqFOr.avi") returned -1 [0094.122] lstrlenW (lpString="mqFOr.avi") returned 9 [0094.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0094.122] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0094.122] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="mqFOr.avi" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi" [0094.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi" [0094.122] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi id-Br3n0G72wUb8CejT.LyaS" [0094.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\mqfor.avi"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\mqfor.avi id-br3n0g72wub8cejt.lyas")) returned 1 [0094.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\mqfor.avi id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0094.505] CreateFileMappingA (hFile=0x388, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x414 [0094.505] CryptAcquireContextA (in: phProv=0x1231fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1231fce4*=0x1083d300) returned 1 [0095.560] CryptGenKey (in: hProv=0x1083d300, Algid=0x6610, dwFlags=0x1, phKey=0x1231fce0 | out: phKey=0x1231fce0*=0x5c8750) returned 1 [0095.560] CryptExportKey (in: hKey=0x5c8750, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1231fbdc, pdwDataLen=0x1231fcdc | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcdc*=0x2c) returned 1 [0095.560] MapViewOfFile (hFileMappingObject=0x414, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11fc0) returned 0x4e30000 [0095.563] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x100) returned 1 [0095.564] CryptEncrypt (in: hKey=0x5c8750, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4e30000, pdwDataLen=0x1231fcdc*=0x11fc0, dwBufLen=0x11fc0 | out: pbData=0x4e30000*, pdwDataLen=0x1231fcdc*=0x11fc0) returned 1 [0095.564] UnmapViewOfFile (lpBaseAddress=0x4e30000) returned 1 [0095.565] CloseHandle (hObject=0x414) returned 1 [0095.565] CryptDestroyKey (hKey=0x5c8750) returned 1 [0095.565] CryptReleaseContext (hProv=0x1083d300, dwFlags=0x0) returned 1 [0095.565] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.566] WriteFile (in: hFile=0x388, lpBuffer=0x1231fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1231fbdc*, lpNumberOfBytesWritten=0x1231fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.566] WriteFile (in: hFile=0x388, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1231fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.566] CloseHandle (hObject=0x388) returned 1 [0095.589] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\mqFOr.avi id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.590] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 1 [0095.590] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0095.590] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0095.590] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" [0095.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\how to restore files.hta")) returned 0x1 [0095.590] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="rWkgzSW.mkv") returned -1 [0095.590] lstrlenW (lpString="rWkgzSW.mkv") returned 11 [0095.590] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0095.590] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0095.590] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="rWkgzSW.mkv" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv" [0095.590] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv" [0095.590] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv id-Br3n0G72wUb8CejT.LyaS" [0095.591] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\rwkgzsw.mkv"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\rwkgzsw.mkv id-br3n0g72wub8cejt.lyas")) returned 1 [0095.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\rwkgzsw.mkv id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0095.592] CreateFileMappingA (hFile=0x388, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x414 [0095.592] CryptAcquireContextA (in: phProv=0x1231fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1231fce4*=0x1083cc18) returned 1 [0095.592] CryptGenKey (in: hProv=0x1083cc18, Algid=0x6610, dwFlags=0x1, phKey=0x1231fce0 | out: phKey=0x1231fce0*=0x5c8c90) returned 1 [0095.592] CryptExportKey (in: hKey=0x5c8c90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1231fbdc, pdwDataLen=0x1231fcdc | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcdc*=0x2c) returned 1 [0095.592] MapViewOfFile (hFileMappingObject=0x414, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14ec0) returned 0x4e30000 [0095.598] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x100) returned 1 [0095.598] CryptEncrypt (in: hKey=0x5c8c90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4e30000, pdwDataLen=0x1231fcdc*=0x14ec0, dwBufLen=0x14ec0 | out: pbData=0x4e30000*, pdwDataLen=0x1231fcdc*=0x14ec0) returned 1 [0095.599] UnmapViewOfFile (lpBaseAddress=0x4e30000) returned 1 [0095.600] CloseHandle (hObject=0x414) returned 1 [0095.600] CryptDestroyKey (hKey=0x5c8c90) returned 1 [0095.600] CryptReleaseContext (hProv=0x1083cc18, dwFlags=0x0) returned 1 [0095.600] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.600] WriteFile (in: hFile=0x388, lpBuffer=0x1231fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1231fbdc*, lpNumberOfBytesWritten=0x1231fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.601] WriteFile (in: hFile=0x388, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1231fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.601] CloseHandle (hObject=0x388) returned 1 [0095.618] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\rWkgzSW.mkv id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.621] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 1 [0095.621] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0095.621] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0095.621] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" [0095.621] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\how to restore files.hta")) returned 0x1 [0095.621] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="VyW OD.mkv") returned -1 [0095.622] lstrlenW (lpString="VyW OD.mkv") returned 10 [0095.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*" [0095.622] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\*.*") returned 36 [0095.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="VyW OD.mkv" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv" [0095.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv" [0095.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv id-Br3n0G72wUb8CejT.LyaS" [0095.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\vyw od.mkv"), lpNewFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\vyw od.mkv id-br3n0g72wub8cejt.lyas")) returned 1 [0095.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\vyw od.mkv id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0095.623] CreateFileMappingA (hFile=0x388, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x414 [0095.623] CryptAcquireContextA (in: phProv=0x1231fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1231fce4*=0x1083cc18) returned 1 [0095.624] CryptGenKey (in: hProv=0x1083cc18, Algid=0x6610, dwFlags=0x1, phKey=0x1231fce0 | out: phKey=0x1231fce0*=0x5c8c90) returned 1 [0095.624] CryptExportKey (in: hKey=0x5c8c90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1231fbdc, pdwDataLen=0x1231fcdc | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcdc*=0x2c) returned 1 [0095.624] MapViewOfFile (hFileMappingObject=0x414, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10500) returned 0x4e30000 [0095.628] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1231fbdc*, pdwDataLen=0x1231fcf0*=0x100) returned 1 [0095.628] CryptEncrypt (in: hKey=0x5c8c90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4e30000, pdwDataLen=0x1231fcdc*=0x10500, dwBufLen=0x10500 | out: pbData=0x4e30000*, pdwDataLen=0x1231fcdc*=0x10500) returned 1 [0095.629] UnmapViewOfFile (lpBaseAddress=0x4e30000) returned 1 [0095.635] CloseHandle (hObject=0x414) returned 1 [0095.635] CryptDestroyKey (hKey=0x5c8c90) returned 1 [0095.635] CryptReleaseContext (hProv=0x1083cc18, dwFlags=0x0) returned 1 [0095.635] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.635] WriteFile (in: hFile=0x388, lpBuffer=0x1231fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1231fbdc*, lpNumberOfBytesWritten=0x1231fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.635] WriteFile (in: hFile=0x388, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1231fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1231fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.635] CloseHandle (hObject=0x388) returned 1 [0095.639] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Videos\\VyW OD.mkv id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.640] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1231fd28 | out: lpFindFileData=0x1231fd28) returned 0 [0095.640] FindClose (in: hFindFile=0x10805848 | out: hFindFile=0x10805848) returned 1 Thread: id = 246 os_tid = 0x200 [0091.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*", lpFindFileData=0x1245fd28 | out: lpFindFileData=0x1245fd28) returned 0x10805888 [0091.611] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.611] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x1245fd28 | out: lpFindFileData=0x1245fd28) returned 1 [0091.611] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.611] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x1245fd28 | out: lpFindFileData=0x1245fd28) returned 1 [0091.612] lstrcpyW (in: lpString1=0x3e10398, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0091.612] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0091.612] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta" [0091.612] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\how to restore files.hta")) returned 0xffffffff [0091.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0091.830] WriteFile (in: hFile=0x464, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1245fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1245fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.831] CloseHandle (hObject=0x464) returned 1 [0091.831] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.831] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hmmapi.dll.mui") returned 1 [0091.831] lstrlenW (lpString="hmmapi.dll.mui") returned 14 [0091.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0091.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0091.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="hmmapi.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" [0091.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" [0091.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0091.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0091.832] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x1245fd28 | out: lpFindFileData=0x1245fd28) returned 1 [0091.832] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0091.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0091.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta" [0091.832] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\how to restore files.hta")) returned 0x1 [0091.832] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ieinstal.exe.mui") returned -1 [0091.832] lstrlenW (lpString="ieinstal.exe.mui") returned 16 [0091.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0091.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0091.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="ieinstal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" [0091.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" [0091.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0091.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0091.833] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x1245fd28 | out: lpFindFileData=0x1245fd28) returned 1 [0091.833] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0091.833] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0091.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta" [0091.833] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\how to restore files.hta")) returned 0x1 [0091.833] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="iexplore.exe.mui") returned -1 [0091.833] lstrlenW (lpString="iexplore.exe.mui") returned 16 [0091.833] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0091.833] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0091.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="iexplore.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" [0091.833] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" [0091.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0091.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0093.266] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x1245fd28 | out: lpFindFileData=0x1245fd28) returned 0 [0093.266] FindClose (in: hFindFile=0x10805888 | out: hFindFile=0x10805888) returned 1 Thread: id = 247 os_tid = 0x1a4 [0091.613] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*.*", lpFindFileData=0x1259fd28 | out: lpFindFileData=0x1259fd28) returned 0x108058c8 [0091.613] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.613] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x1259fd28 | out: lpFindFileData=0x1259fd28) returned 1 [0091.613] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.613] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.613] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x1259fd28 | out: lpFindFileData=0x1259fd28) returned 1 [0091.614] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*.*" [0091.614] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*.*") returned 47 [0091.614] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\How To Restore Files.hta" [0091.614] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\how to restore files.hta")) returned 0xffffffff [0091.614] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b8 [0092.082] WriteFile (in: hFile=0x4b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1259fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1259fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.083] CloseHandle (hObject=0x4b8) returned 1 [0092.083] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.084] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x1259fd28 | out: lpFindFileData=0x1259fd28) returned 0 [0092.084] FindClose (in: hFindFile=0x108058c8 | out: hFindFile=0x108058c8) returned 1 Thread: id = 248 os_tid = 0x6d0 [0091.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*", lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 0x10805188 [0091.616] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.616] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0091.616] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.617] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0091.617] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0091.617] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0091.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0091.617] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0xffffffff [0091.617] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0091.869] WriteFile (in: hFile=0x470, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x126dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.870] CloseHandle (hObject=0x470) returned 1 [0091.870] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.871] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0091.871] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0091.871] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0091.871] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0091.871] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0x1 [0091.871] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="UpdateSessionOrchestration.002.etl") returned -1 [0091.871] lstrlenW (lpString="UpdateSessionOrchestration.002.etl") returned 34 [0091.871] lstrcmpiW (lpString1=".LyaS", lpString2="2.etl") returned -1 [0091.871] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0091.871] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0091.871] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.002.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" [0091.871] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" [0091.872] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl id-Br3n0G72wUb8CejT.LyaS" [0091.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl id-br3n0g72wub8cejt.lyas")) returned 1 [0092.119] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b8 [0092.120] CreateFileMappingA (hFile=0x4b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4bc [0092.120] CryptAcquireContextA (in: phProv=0x126dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x126dfce4*=0x5d0bf0) returned 1 [0092.120] CryptGenKey (in: hProv=0x5d0bf0, Algid=0x6610, dwFlags=0x1, phKey=0x126dfce0 | out: phKey=0x126dfce0*=0x10804d48) returned 1 [0092.120] CryptExportKey (in: hKey=0x10804d48, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x126dfbdc, pdwDataLen=0x126dfcdc | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcdc*=0x2c) returned 1 [0092.120] MapViewOfFile (hFileMappingObject=0x4bc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4000) returned 0x64e0000 [0092.127] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x100) returned 1 [0092.128] CryptEncrypt (in: hKey=0x10804d48, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000, pdwDataLen=0x126dfcdc*=0x4000, dwBufLen=0x4000 | out: pbData=0x64e0000*, pdwDataLen=0x126dfcdc*=0x4000) returned 1 [0092.128] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0092.128] CloseHandle (hObject=0x4bc) returned 1 [0092.128] CryptDestroyKey (hKey=0x10804d48) returned 1 [0092.128] CryptReleaseContext (hProv=0x5d0bf0, dwFlags=0x0) returned 1 [0092.128] SetFilePointerEx (in: hFile=0x4b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.128] WriteFile (in: hFile=0x4b8, lpBuffer=0x126dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x126dfbdc*, lpNumberOfBytesWritten=0x126dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.129] WriteFile (in: hFile=0x4b8, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x126dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.129] CloseHandle (hObject=0x4b8) returned 1 [0092.136] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.136] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0092.136] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0092.136] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0092.136] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0092.136] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0x1 [0092.136] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="UpdateSessionOrchestration.003.etl") returned -1 [0092.136] lstrlenW (lpString="UpdateSessionOrchestration.003.etl") returned 34 [0092.136] lstrcmpiW (lpString1=".LyaS", lpString2="3.etl") returned -1 [0092.136] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0092.136] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0092.137] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.003.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" [0092.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" [0092.137] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl id-Br3n0G72wUb8CejT.LyaS" [0092.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl id-br3n0g72wub8cejt.lyas")) returned 1 [0092.138] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b8 [0092.138] CreateFileMappingA (hFile=0x4b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4bc [0092.138] CryptAcquireContextA (in: phProv=0x126dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x126dfce4*=0x5d0bf0) returned 1 [0092.138] CryptGenKey (in: hProv=0x5d0bf0, Algid=0x6610, dwFlags=0x1, phKey=0x126dfce0 | out: phKey=0x126dfce0*=0x10804ac8) returned 1 [0092.138] CryptExportKey (in: hKey=0x10804ac8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x126dfbdc, pdwDataLen=0x126dfcdc | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcdc*=0x2c) returned 1 [0092.139] MapViewOfFile (hFileMappingObject=0x4bc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4000) returned 0x64e0000 [0092.156] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x100) returned 1 [0092.157] CryptEncrypt (in: hKey=0x10804ac8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000, pdwDataLen=0x126dfcdc*=0x4000, dwBufLen=0x4000 | out: pbData=0x64e0000*, pdwDataLen=0x126dfcdc*=0x4000) returned 1 [0092.157] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0092.157] CloseHandle (hObject=0x4bc) returned 1 [0092.157] CryptDestroyKey (hKey=0x10804ac8) returned 1 [0092.157] CryptReleaseContext (hProv=0x5d0bf0, dwFlags=0x0) returned 1 [0092.157] SetFilePointerEx (in: hFile=0x4b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.157] WriteFile (in: hFile=0x4b8, lpBuffer=0x126dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x126dfbdc*, lpNumberOfBytesWritten=0x126dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.159] WriteFile (in: hFile=0x4b8, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x126dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.159] CloseHandle (hObject=0x4b8) returned 1 [0092.162] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.163] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0092.163] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0092.163] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0092.163] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0092.163] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0x1 [0092.163] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="UpdateSessionOrchestration.004.etl") returned -1 [0092.163] lstrlenW (lpString="UpdateSessionOrchestration.004.etl") returned 34 [0092.163] lstrcmpiW (lpString1=".LyaS", lpString2="4.etl") returned -1 [0092.163] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0092.163] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0092.163] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.004.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" [0092.163] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" [0092.163] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl id-Br3n0G72wUb8CejT.LyaS" [0092.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl id-br3n0g72wub8cejt.lyas")) returned 1 [0092.164] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b8 [0092.164] CreateFileMappingA (hFile=0x4b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4bc [0092.164] CryptAcquireContextA (in: phProv=0x126dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x126dfce4*=0x5d19c0) returned 1 [0092.165] CryptGenKey (in: hProv=0x5d19c0, Algid=0x6610, dwFlags=0x1, phKey=0x126dfce0 | out: phKey=0x126dfce0*=0x10804d08) returned 1 [0092.165] CryptExportKey (in: hKey=0x10804d08, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x126dfbdc, pdwDataLen=0x126dfcdc | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcdc*=0x2c) returned 1 [0092.165] MapViewOfFile (hFileMappingObject=0x4bc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4000) returned 0x64d0000 [0093.280] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x100) returned 1 [0093.281] CryptEncrypt (in: hKey=0x10804d08, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64d0000, pdwDataLen=0x126dfcdc*=0x4000, dwBufLen=0x4000 | out: pbData=0x64d0000*, pdwDataLen=0x126dfcdc*=0x4000) returned 1 [0094.113] UnmapViewOfFile (lpBaseAddress=0x64d0000) returned 1 [0094.113] CloseHandle (hObject=0x4bc) returned 1 [0094.113] CryptDestroyKey (hKey=0x10804d08) returned 1 [0094.113] CryptReleaseContext (hProv=0x5d19c0, dwFlags=0x0) returned 1 [0094.113] SetFilePointerEx (in: hFile=0x4b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.113] WriteFile (in: hFile=0x4b8, lpBuffer=0x126dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x126dfbdc*, lpNumberOfBytesWritten=0x126dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.467] WriteFile (in: hFile=0x4b8, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x126dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.467] CloseHandle (hObject=0x4b8) returned 1 [0094.469] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.505] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0095.528] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0095.528] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0095.528] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0095.528] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0x1 [0095.528] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="UpdateSessionOrchestration.005.etl") returned -1 [0095.528] lstrlenW (lpString="UpdateSessionOrchestration.005.etl") returned 34 [0095.528] lstrcmpiW (lpString1=".LyaS", lpString2="5.etl") returned -1 [0095.528] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0095.528] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0095.528] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.005.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" [0095.528] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" [0095.529] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl id-Br3n0G72wUb8CejT.LyaS" [0095.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl id-br3n0g72wub8cejt.lyas")) returned 1 [0095.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0095.530] CreateFileMappingA (hFile=0x458, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x28c [0095.530] CryptAcquireContextA (in: phProv=0x126dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x126dfce4*=0x1083d0e0) returned 1 [0095.531] CryptGenKey (in: hProv=0x1083d0e0, Algid=0x6610, dwFlags=0x1, phKey=0x126dfce0 | out: phKey=0x126dfce0*=0x5c8f10) returned 1 [0095.531] CryptExportKey (in: hKey=0x5c8f10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x126dfbdc, pdwDataLen=0x126dfcdc | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcdc*=0x2c) returned 1 [0095.531] MapViewOfFile (hFileMappingObject=0x28c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4000) returned 0x4dd0000 [0095.607] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x100) returned 1 [0095.607] CryptEncrypt (in: hKey=0x5c8f10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000, pdwDataLen=0x126dfcdc*=0x4000, dwBufLen=0x4000 | out: pbData=0x4dd0000*, pdwDataLen=0x126dfcdc*=0x4000) returned 1 [0095.607] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.608] CloseHandle (hObject=0x28c) returned 1 [0095.608] CryptDestroyKey (hKey=0x5c8f10) returned 1 [0095.608] CryptReleaseContext (hProv=0x1083d0e0, dwFlags=0x0) returned 1 [0095.608] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.608] WriteFile (in: hFile=0x458, lpBuffer=0x126dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x126dfbdc*, lpNumberOfBytesWritten=0x126dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.609] WriteFile (in: hFile=0x458, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x126dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.609] CloseHandle (hObject=0x458) returned 1 [0095.611] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.611] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0095.611] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0095.612] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0095.612] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0095.612] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0x1 [0095.612] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="UpdateSessionOrchestration.006.etl") returned -1 [0095.612] lstrlenW (lpString="UpdateSessionOrchestration.006.etl") returned 34 [0095.612] lstrcmpiW (lpString1=".LyaS", lpString2="6.etl") returned -1 [0095.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0095.612] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0095.612] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.006.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" [0095.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" [0095.612] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl id-Br3n0G72wUb8CejT.LyaS" [0095.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl id-br3n0g72wub8cejt.lyas")) returned 1 [0095.613] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0095.613] CreateFileMappingA (hFile=0x458, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x28c [0095.614] CryptAcquireContextA (in: phProv=0x126dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x126dfce4*=0x1083d300) returned 1 [0095.614] CryptGenKey (in: hProv=0x1083d300, Algid=0x6610, dwFlags=0x1, phKey=0x126dfce0 | out: phKey=0x126dfce0*=0x5c9310) returned 1 [0095.614] CryptExportKey (in: hKey=0x5c9310, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x126dfbdc, pdwDataLen=0x126dfcdc | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcdc*=0x2c) returned 1 [0095.614] MapViewOfFile (hFileMappingObject=0x28c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4000) returned 0x4dd0000 [0095.630] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x100) returned 1 [0095.630] CryptEncrypt (in: hKey=0x5c9310, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000, pdwDataLen=0x126dfcdc*=0x4000, dwBufLen=0x4000 | out: pbData=0x4dd0000*, pdwDataLen=0x126dfcdc*=0x4000) returned 1 [0095.630] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.631] CloseHandle (hObject=0x28c) returned 1 [0095.631] CryptDestroyKey (hKey=0x5c9310) returned 1 [0095.631] CryptReleaseContext (hProv=0x1083d300, dwFlags=0x0) returned 1 [0095.631] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.631] WriteFile (in: hFile=0x458, lpBuffer=0x126dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x126dfbdc*, lpNumberOfBytesWritten=0x126dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.632] WriteFile (in: hFile=0x458, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x126dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.632] CloseHandle (hObject=0x458) returned 1 [0095.640] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.641] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0095.641] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0095.641] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0095.641] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0095.641] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0x1 [0095.641] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="UpdateSessionOrchestration.007.etl") returned -1 [0095.641] lstrlenW (lpString="UpdateSessionOrchestration.007.etl") returned 34 [0095.641] lstrcmpiW (lpString1=".LyaS", lpString2="7.etl") returned -1 [0095.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0095.641] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0095.641] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.007.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" [0095.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" [0095.641] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl id-Br3n0G72wUb8CejT.LyaS" [0095.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl id-br3n0g72wub8cejt.lyas")) returned 1 [0095.642] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0095.643] CreateFileMappingA (hFile=0x458, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x424 [0095.643] CryptAcquireContextA (in: phProv=0x126dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x126dfce4*=0x1083d0e0) returned 1 [0095.643] CryptGenKey (in: hProv=0x1083d0e0, Algid=0x6610, dwFlags=0x1, phKey=0x126dfce0 | out: phKey=0x126dfce0*=0x5c8c90) returned 1 [0095.644] CryptExportKey (in: hKey=0x5c8c90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x126dfbdc, pdwDataLen=0x126dfcdc | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcdc*=0x2c) returned 1 [0095.644] MapViewOfFile (hFileMappingObject=0x424, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4000) returned 0x4dd0000 [0095.648] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x100) returned 1 [0095.648] CryptEncrypt (in: hKey=0x5c8c90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000, pdwDataLen=0x126dfcdc*=0x4000, dwBufLen=0x4000 | out: pbData=0x4dd0000*, pdwDataLen=0x126dfcdc*=0x4000) returned 1 [0095.649] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.649] CloseHandle (hObject=0x424) returned 1 [0095.649] CryptDestroyKey (hKey=0x5c8c90) returned 1 [0095.649] CryptReleaseContext (hProv=0x1083d0e0, dwFlags=0x0) returned 1 [0095.649] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.649] WriteFile (in: hFile=0x458, lpBuffer=0x126dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x126dfbdc*, lpNumberOfBytesWritten=0x126dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.651] WriteFile (in: hFile=0x458, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x126dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.651] CloseHandle (hObject=0x458) returned 1 [0095.658] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.659] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0095.659] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0095.659] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0095.659] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0095.659] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0x1 [0095.659] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="UpdateSessionOrchestration.008.etl") returned -1 [0095.659] lstrlenW (lpString="UpdateSessionOrchestration.008.etl") returned 34 [0095.659] lstrcmpiW (lpString1=".LyaS", lpString2="8.etl") returned -1 [0095.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0095.659] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0095.659] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.008.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" [0095.660] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" [0095.660] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl id-Br3n0G72wUb8CejT.LyaS" [0095.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl id-br3n0g72wub8cejt.lyas")) returned 1 [0095.661] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0095.661] CreateFileMappingA (hFile=0x458, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x424 [0095.661] CryptAcquireContextA (in: phProv=0x126dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x126dfce4*=0x1083ce38) returned 1 [0095.662] CryptGenKey (in: hProv=0x1083ce38, Algid=0x6610, dwFlags=0x1, phKey=0x126dfce0 | out: phKey=0x126dfce0*=0x5c8850) returned 1 [0095.662] CryptExportKey (in: hKey=0x5c8850, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x126dfbdc, pdwDataLen=0x126dfcdc | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcdc*=0x2c) returned 1 [0095.662] MapViewOfFile (hFileMappingObject=0x424, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4000) returned 0x4dd0000 [0095.687] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x126dfbdc*, pdwDataLen=0x126dfcf0*=0x100) returned 1 [0095.688] CryptEncrypt (in: hKey=0x5c8850, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000, pdwDataLen=0x126dfcdc*=0x4000, dwBufLen=0x4000 | out: pbData=0x4dd0000*, pdwDataLen=0x126dfcdc*=0x4000) returned 1 [0095.688] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.688] CloseHandle (hObject=0x424) returned 1 [0095.688] CryptDestroyKey (hKey=0x5c8850) returned 1 [0095.688] CryptReleaseContext (hProv=0x1083ce38, dwFlags=0x0) returned 1 [0095.688] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.689] WriteFile (in: hFile=0x458, lpBuffer=0x126dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x126dfbdc*, lpNumberOfBytesWritten=0x126dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.690] WriteFile (in: hFile=0x458, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x126dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x126dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.690] CloseHandle (hObject=0x458) returned 1 [0096.371] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0096.629] FindNextFileW (in: hFindFile=0x10805188, lpFindFileData=0x126dfd28 | out: lpFindFileData=0x126dfd28) returned 1 [0097.006] lstrcpyW (in: lpString1=0x3df0328, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0097.006] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0097.006] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" [0097.007] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoshared\\logs\\how to restore files.hta")) returned 0x1 [0097.007] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="UpdateSessionOrchestration.009.etl") returned -1 [0097.007] lstrlenW (lpString="UpdateSessionOrchestration.009.etl") returned 34 [0097.007] lstrcmpiW (lpString1=".LyaS", lpString2="9.etl") returned -1 [0097.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*" [0097.007] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*.*") returned 37 [0097.007] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.009.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" [0097.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" [0097.007] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl id-Br3n0G72wUb8CejT.LyaS" [0097.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl id-br3n0g72wub8cejt.lyas")) Thread: id = 249 os_tid = 0xec [0091.712] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*", lpFindFileData=0x1281fd28 | out: lpFindFileData=0x1281fd28) returned 0x10805648 [0091.712] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.712] FindNextFileW (in: hFindFile=0x10805648, lpFindFileData=0x1281fd28 | out: lpFindFileData=0x1281fd28) returned 1 [0091.712] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.712] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.712] FindNextFileW (in: hFindFile=0x10805648, lpFindFileData=0x1281fd28 | out: lpFindFileData=0x1281fd28) returned 1 [0091.712] lstrcpyW (in: lpString1=0x105f81f0, lpString2="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*" [0091.712] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*") returned 45 [0091.712] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\How To Restore Files.hta" [0091.712] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoprivate\\updatestore\\how to restore files.hta")) returned 0xffffffff [0091.712] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\How To Restore Files.hta" (normalized: "c:\\programdata\\usoprivate\\updatestore\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0094.924] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1281fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1281fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.926] CloseHandle (hObject=0x354) returned 1 [0094.926] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0097.003] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned -1 [0097.004] lstrlenW (lpString="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned 51 [0097.004] lstrcmpiW (lpString1=".LyaS", lpString2="4.xml") returned -1 [0097.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*" [0097.004] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*.*") returned 45 [0097.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\", lpString2="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" [0097.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" [0097.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml id-Br3n0G72wUb8CejT.LyaS" [0097.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml id-br3n0g72wub8cejt.lyas")) Thread: id = 250 os_tid = 0xaf4 [0091.713] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*", lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 0x10805248 [0091.713] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.713] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0091.713] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.713] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.713] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0091.713] lstrcmpW (lpString1=".", lpString2="bin") returned -1 [0091.713] lstrcmpW (lpString1="..", lpString2="bin") returned -1 [0091.713] lstrcmpiW (lpString1="windows", lpString2="bin") returned 1 [0091.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0091.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0091.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="bin" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin" [0091.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\*.*" [0091.713] GlobalMemoryStatus (in: lpBuffer=0x1295fd08 | out: lpBuffer=0x1295fd08) [0091.713] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10638320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x44c [0091.714] CloseHandle (hObject=0x44c) returned 1 [0091.714] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0091.714] lstrcpyW (in: lpString1=0x106001f8, lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0091.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0091.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" [0091.714] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\how to restore files.hta")) returned 0xffffffff [0091.714] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0092.113] WriteFile (in: hFile=0x45c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1295fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.114] CloseHandle (hObject=0x45c) returned 1 [0092.114] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.114] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="COPYRIGHT") returned 1 [0092.114] lstrlenW (lpString="COPYRIGHT") returned 9 [0092.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0092.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0092.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="COPYRIGHT" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT" [0092.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT" [0092.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT id-Br3n0G72wUb8CejT.LyaS" [0092.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_131\\copyright"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\copyright id-br3n0g72wub8cejt.lyas")) returned 1 [0092.115] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\copyright id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0092.116] CreateFileMappingA (hFile=0x45c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x42c [0092.116] CryptAcquireContextA (in: phProv=0x1295fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1295fce4*=0x5d19c0) returned 1 [0092.116] CryptGenKey (in: hProv=0x5d19c0, Algid=0x6610, dwFlags=0x1, phKey=0x1295fce0 | out: phKey=0x1295fce0*=0x10805488) returned 1 [0092.117] CryptExportKey (in: hKey=0x10805488, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1295fbdc, pdwDataLen=0x1295fcdc | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcdc*=0x2c) returned 1 [0092.117] MapViewOfFile (hFileMappingObject=0x42c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xca0) returned 0x64d0000 [0092.141] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x100) returned 1 [0092.142] CryptEncrypt (in: hKey=0x10805488, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64d0000*, pdwDataLen=0x1295fcdc*=0xca0, dwBufLen=0xca0 | out: pbData=0x64d0000*, pdwDataLen=0x1295fcdc*=0xca0) returned 1 [0092.142] UnmapViewOfFile (lpBaseAddress=0x64d0000) returned 1 [0092.142] CloseHandle (hObject=0x42c) returned 1 [0092.142] CryptDestroyKey (hKey=0x10805488) returned 1 [0092.142] CryptReleaseContext (hProv=0x5d19c0, dwFlags=0x0) returned 1 [0092.142] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.142] WriteFile (in: hFile=0x45c, lpBuffer=0x1295fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1295fbdc*, lpNumberOfBytesWritten=0x1295fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.143] WriteFile (in: hFile=0x45c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1295fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.143] CloseHandle (hObject=0x45c) returned 1 [0092.145] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\COPYRIGHT id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.146] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0092.146] lstrcmpW (lpString1=".", lpString2="lib") returned -1 [0092.146] lstrcmpW (lpString1="..", lpString2="lib") returned -1 [0092.146] lstrcmpiW (lpString1="windows", lpString2="lib") returned 1 [0092.146] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0092.146] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0092.146] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="lib" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\lib") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\lib" [0092.146] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\lib", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\lib\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\lib\\*.*" [0092.146] GlobalMemoryStatus (in: lpBuffer=0x1295fd08 | out: lpBuffer=0x1295fd08) [0092.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106f8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x45c [0092.147] CloseHandle (hObject=0x45c) returned 1 [0092.147] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0092.147] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0092.147] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0092.147] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" [0092.147] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\how to restore files.hta")) returned 0x1 [0092.147] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="LICENSE") returned -1 [0092.147] lstrlenW (lpString="LICENSE") returned 7 [0092.147] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0092.147] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0092.147] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="LICENSE" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE" [0092.147] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE" [0092.147] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE id-Br3n0G72wUb8CejT.LyaS" [0092.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_131\\license"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\license id-br3n0g72wub8cejt.lyas")) returned 1 [0092.149] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\license id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0092.149] CreateFileMappingA (hFile=0x45c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x42c [0092.149] CryptAcquireContextA (in: phProv=0x1295fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1295fce4*=0x5d19c0) returned 1 [0092.150] CryptGenKey (in: hProv=0x5d19c0, Algid=0x6610, dwFlags=0x1, phKey=0x1295fce0 | out: phKey=0x1295fce0*=0x108058c8) returned 1 [0092.150] CryptExportKey (in: hKey=0x108058c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1295fbdc, pdwDataLen=0x1295fcdc | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcdc*=0x2c) returned 1 [0092.150] MapViewOfFile (hFileMappingObject=0x42c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x20) returned 0x64d0000 [0092.153] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x100) returned 1 [0092.153] CryptEncrypt (in: hKey=0x108058c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64d0000*, pdwDataLen=0x1295fcdc*=0x20, dwBufLen=0x20 | out: pbData=0x64d0000*, pdwDataLen=0x1295fcdc*=0x20) returned 1 [0092.153] UnmapViewOfFile (lpBaseAddress=0x64d0000) returned 1 [0092.153] CloseHandle (hObject=0x42c) returned 1 [0092.153] CryptDestroyKey (hKey=0x108058c8) returned 1 [0092.153] CryptReleaseContext (hProv=0x5d19c0, dwFlags=0x0) returned 1 [0092.153] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.153] WriteFile (in: hFile=0x45c, lpBuffer=0x1295fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1295fbdc*, lpNumberOfBytesWritten=0x1295fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.154] WriteFile (in: hFile=0x45c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1295fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.170] CloseHandle (hObject=0x45c) returned 1 [0092.175] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\LICENSE id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.176] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0092.176] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0092.176] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0092.176] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" [0092.176] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\how to restore files.hta")) returned 0x1 [0092.176] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="README.txt") returned -1 [0092.176] lstrlenW (lpString="README.txt") returned 10 [0092.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0092.176] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0092.176] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="README.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt" [0092.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt" [0092.176] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt id-Br3n0G72wUb8CejT.LyaS" [0092.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\readme.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\readme.txt id-br3n0g72wub8cejt.lyas")) returned 1 [0092.177] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\readme.txt id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0092.177] CreateFileMappingA (hFile=0x45c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x42c [0092.177] CryptAcquireContextA (in: phProv=0x1295fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1295fce4*=0x5d0bf0) returned 1 [0092.178] CryptGenKey (in: hProv=0x5d0bf0, Algid=0x6610, dwFlags=0x1, phKey=0x1295fce0 | out: phKey=0x1295fce0*=0x10804988) returned 1 [0092.178] CryptExportKey (in: hKey=0x10804988, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1295fbdc, pdwDataLen=0x1295fcdc | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcdc*=0x2c) returned 1 [0092.178] MapViewOfFile (hFileMappingObject=0x42c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x20) returned 0x64e0000 [0092.182] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x100) returned 1 [0092.182] CryptEncrypt (in: hKey=0x10804988, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000*, pdwDataLen=0x1295fcdc*=0x20, dwBufLen=0x20 | out: pbData=0x64e0000*, pdwDataLen=0x1295fcdc*=0x20) returned 1 [0092.182] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0092.182] CloseHandle (hObject=0x42c) returned 1 [0092.183] CryptDestroyKey (hKey=0x10804988) returned 1 [0092.183] CryptReleaseContext (hProv=0x5d0bf0, dwFlags=0x0) returned 1 [0092.183] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.183] WriteFile (in: hFile=0x45c, lpBuffer=0x1295fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1295fbdc*, lpNumberOfBytesWritten=0x1295fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.184] WriteFile (in: hFile=0x45c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1295fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.186] CloseHandle (hObject=0x45c) returned 1 [0092.201] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\README.txt id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.202] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0092.202] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0092.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0092.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" [0092.202] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\how to restore files.hta")) returned 0x1 [0092.202] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="release") returned -1 [0092.202] lstrlenW (lpString="release") returned 7 [0092.202] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0092.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0092.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="release" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release" [0092.202] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release" [0092.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release id-Br3n0G72wUb8CejT.LyaS" [0092.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release" (normalized: "c:\\program files\\java\\jre1.8.0_131\\release"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\release id-br3n0g72wub8cejt.lyas")) returned 1 [0092.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\release id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0092.205] CreateFileMappingA (hFile=0x45c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x42c [0092.205] CryptAcquireContextA (in: phProv=0x1295fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1295fce4*=0x5d0bf0) returned 1 [0092.205] CryptGenKey (in: hProv=0x5d0bf0, Algid=0x6610, dwFlags=0x1, phKey=0x1295fce0 | out: phKey=0x1295fce0*=0x10804f08) returned 1 [0092.205] CryptExportKey (in: hKey=0x10804f08, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1295fbdc, pdwDataLen=0x1295fcdc | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcdc*=0x2c) returned 1 [0092.205] MapViewOfFile (hFileMappingObject=0x42c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200) returned 0x64e0000 [0092.208] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x100) returned 1 [0092.208] CryptEncrypt (in: hKey=0x10804f08, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000*, pdwDataLen=0x1295fcdc*=0x200, dwBufLen=0x200 | out: pbData=0x64e0000*, pdwDataLen=0x1295fcdc*=0x200) returned 1 [0092.208] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0092.208] CloseHandle (hObject=0x42c) returned 1 [0092.208] CryptDestroyKey (hKey=0x10804f08) returned 1 [0092.208] CryptReleaseContext (hProv=0x5d0bf0, dwFlags=0x0) returned 1 [0092.208] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.208] WriteFile (in: hFile=0x45c, lpBuffer=0x1295fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1295fbdc*, lpNumberOfBytesWritten=0x1295fcf0*=0x100, lpOverlapped=0x0) returned 1 [0093.300] WriteFile (in: hFile=0x45c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1295fcf0*=0x500, lpOverlapped=0x0) returned 1 [0093.300] CloseHandle (hObject=0x45c) returned 1 [0093.302] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\release id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0093.303] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0094.058] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0094.058] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0094.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" [0094.058] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\how to restore files.hta")) returned 0x1 [0094.058] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="THIRDPARTYLICENSEREADME-JAVAFX.txt") returned -1 [0094.058] lstrlenW (lpString="THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 34 [0094.058] lstrcmpiW (lpString1=".LyaS", lpString2="X.txt") returned -1 [0094.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0094.058] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0094.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="THIRDPARTYLICENSEREADME-JAVAFX.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt" [0094.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt" [0094.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt id-Br3n0G72wUb8CejT.LyaS" [0094.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme-javafx.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme-javafx.txt id-br3n0g72wub8cejt.lyas")) returned 1 [0094.503] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme-javafx.txt id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0094.504] CreateFileMappingA (hFile=0x4e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x33c [0094.504] CryptAcquireContextA (in: phProv=0x1295fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1295fce4*=0x1083d388) returned 1 [0095.667] CryptGenKey (in: hProv=0x1083d388, Algid=0x6610, dwFlags=0x1, phKey=0x1295fce0 | out: phKey=0x1295fce0*=0x5c8f10) returned 1 [0095.667] CryptExportKey (in: hKey=0x5c8f10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1295fbdc, pdwDataLen=0x1295fcdc | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcdc*=0x2c) returned 1 [0095.667] MapViewOfFile (hFileMappingObject=0x33c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf9a0) returned 0x4de0000 [0095.722] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x100) returned 1 [0095.722] CryptEncrypt (in: hKey=0x5c8f10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4de0000, pdwDataLen=0x1295fcdc*=0xf9a0, dwBufLen=0xf9a0 | out: pbData=0x4de0000*, pdwDataLen=0x1295fcdc*=0xf9a0) returned 1 [0095.726] UnmapViewOfFile (lpBaseAddress=0x4de0000) returned 1 [0095.727] CloseHandle (hObject=0x33c) returned 1 [0095.727] CryptDestroyKey (hKey=0x5c8f10) returned 1 [0095.727] CryptReleaseContext (hProv=0x1083d388, dwFlags=0x0) returned 1 [0095.727] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.728] WriteFile (in: hFile=0x4e4, lpBuffer=0x1295fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1295fbdc*, lpNumberOfBytesWritten=0x1295fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.766] WriteFile (in: hFile=0x4e4, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1295fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1295fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.767] CloseHandle (hObject=0x4e4) returned 1 [0095.795] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME-JAVAFX.txt id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.796] FindNextFileW (in: hFindFile=0x10805248, lpFindFileData=0x1295fd28 | out: lpFindFileData=0x1295fd28) returned 1 [0095.796] lstrcpyW (in: lpString1=0x210885a8, lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0095.796] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0095.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" [0095.796] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\how to restore files.hta")) returned 0x1 [0095.796] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="THIRDPARTYLICENSEREADME.txt") returned -1 [0095.796] lstrlenW (lpString="THIRDPARTYLICENSEREADME.txt") returned 27 [0095.796] lstrcmpiW (lpString1=".LyaS", lpString2="E.txt") returned -1 [0095.796] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*" [0095.796] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\*.*") returned 42 [0095.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\", lpString2="THIRDPARTYLICENSEREADME.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt" [0095.797] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt" [0095.797] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt id-Br3n0G72wUb8CejT.LyaS" [0095.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme.txt id-br3n0g72wub8cejt.lyas")) returned 1 [0095.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\THIRDPARTYLICENSEREADME.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\java\\jre1.8.0_131\\thirdpartylicensereadme.txt id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0095.798] CreateFileMappingA (hFile=0x4e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x460 [0095.798] CryptAcquireContextA (in: phProv=0x1295fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1295fce4*=0x1083d300) returned 1 [0095.799] CryptGenKey (in: hProv=0x1083d300, Algid=0x6610, dwFlags=0x1, phKey=0x1295fce0 | out: phKey=0x1295fce0*=0x5c8910) returned 1 [0095.799] CryptExportKey (in: hKey=0x5c8910, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1295fbdc, pdwDataLen=0x1295fcdc | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcdc*=0x2c) returned 1 [0095.799] MapViewOfFile (hFileMappingObject=0x460, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2b3c0) returned 0x28cc0000 [0098.936] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1295fbdc*, pdwDataLen=0x1295fcf0*=0x100) returned 1 [0098.936] CryptEncrypt (hKey=0x5c8910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28cc0000, pdwDataLen=0x1295fcdc*=0x2b3c0, dwBufLen=0x2b3c0) Thread: id = 251 os_tid = 0x8a8 [0091.746] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*", lpFindFileData=0x12b9fd28 | out: lpFindFileData=0x12b9fd28) returned 0x108052c8 [0091.746] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.746] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x12b9fd28 | out: lpFindFileData=0x12b9fd28) returned 1 [0091.746] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.746] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.746] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x12b9fd28 | out: lpFindFileData=0x12b9fd28) returned 1 [0091.746] lstrcpyW (in: lpString1=0x3f20868, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*" [0091.746] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*") returned 49 [0091.746] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\How To Restore Files.hta" [0091.746] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\images\\how to restore files.hta")) returned 0xffffffff [0091.747] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\images\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0093.268] WriteFile (in: hFile=0x428, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x12b9fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x12b9fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0093.269] CloseHandle (hObject=0x428) returned 1 [0093.269] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.150] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="bing.ico") returned 1 [0094.150] lstrlenW (lpString="bing.ico") returned 8 [0094.150] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*" [0094.150] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\*.*") returned 49 [0094.150] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\", lpString2="bing.ico" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico" [0094.151] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico" [0094.151] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico id-Br3n0G72wUb8CejT.LyaS" [0094.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\images\\bing.ico id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\images\\bing.ico id-br3n0g72wub8cejt.lyas")) returned 0 [0094.151] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x12b9fd28 | out: lpFindFileData=0x12b9fd28) returned 0 [0094.151] FindClose (in: hFindFile=0x108052c8 | out: hFindFile=0x108052c8) returned 1 Thread: id = 252 os_tid = 0x7d0 [0091.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*", lpFindFileData=0x12cdfd28 | out: lpFindFileData=0x12cdfd28) returned 0x10805308 [0091.748] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.748] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x12cdfd28 | out: lpFindFileData=0x12cdfd28) returned 1 [0091.748] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.748] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.748] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x12cdfd28 | out: lpFindFileData=0x12cdfd28) returned 1 [0091.748] lstrcpyW (in: lpString1=0x3f28870, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" [0091.748] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned 49 [0091.748] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\How To Restore Files.hta" [0091.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\signup\\how to restore files.hta")) returned 0xffffffff [0091.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\How To Restore Files.hta" (normalized: "c:\\program files\\internet explorer\\signup\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0093.270] WriteFile (in: hFile=0x428, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x12cdfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x12cdfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0093.270] CloseHandle (hObject=0x428) returned 1 [0093.271] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.149] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="install.ins") returned -1 [0094.149] lstrlenW (lpString="install.ins") returned 11 [0094.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" [0094.149] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned 49 [0094.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\", lpString2="install.ins" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" [0094.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" [0094.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins id-Br3n0G72wUb8CejT.LyaS" [0094.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins id-br3n0g72wub8cejt.lyas")) returned 1 [0095.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0095.698] CreateFileMappingA (hFile=0x460, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x458 [0095.698] CryptAcquireContextA (in: phProv=0x12cdfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x12cdfce4*=0x1083d520) returned 1 [0095.699] CryptGenKey (in: hProv=0x1083d520, Algid=0x6610, dwFlags=0x1, phKey=0x12cdfce0 | out: phKey=0x12cdfce0*=0x5c8910) returned 1 [0095.699] CryptExportKey (in: hKey=0x5c8910, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x12cdfbdc, pdwDataLen=0x12cdfcdc | out: pbData=0x12cdfbdc*, pdwDataLen=0x12cdfcdc*=0x2c) returned 1 [0095.699] MapViewOfFile (hFileMappingObject=0x458, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c0) returned 0x4dd0000 [0095.715] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x12cdfbdc*, pdwDataLen=0x12cdfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x12cdfbdc*, pdwDataLen=0x12cdfcf0*=0x100) returned 1 [0095.716] CryptEncrypt (in: hKey=0x5c8910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000*, pdwDataLen=0x12cdfcdc*=0x1c0, dwBufLen=0x1c0 | out: pbData=0x4dd0000*, pdwDataLen=0x12cdfcdc*=0x1c0) returned 1 [0095.716] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.717] CloseHandle (hObject=0x458) returned 1 [0095.717] CryptDestroyKey (hKey=0x5c8910) returned 1 [0095.717] CryptReleaseContext (hProv=0x1083d520, dwFlags=0x0) returned 1 [0095.717] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.717] WriteFile (in: hFile=0x460, lpBuffer=0x12cdfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x12cdfcf0, lpOverlapped=0x0 | out: lpBuffer=0x12cdfbdc*, lpNumberOfBytesWritten=0x12cdfcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.769] WriteFile (in: hFile=0x460, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x12cdfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x12cdfcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.769] CloseHandle (hObject=0x460) returned 1 [0095.780] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0096.628] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x12cdfd28 | out: lpFindFileData=0x12cdfd28) returned 0 [0096.628] FindClose (in: hFindFile=0x10805308 | out: hFindFile=0x10805308) returned 1 Thread: id = 253 os_tid = 0x7d4 [0091.749] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*", lpFindFileData=0x12e1fd28 | out: lpFindFileData=0x12e1fd28) returned 0x10805548 [0091.749] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.749] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x12e1fd28 | out: lpFindFileData=0x12e1fd28) returned 1 [0091.749] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.749] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.749] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x12e1fd28 | out: lpFindFileData=0x12e1fd28) returned 1 [0091.750] lstrcmpW (lpString1=".", lpString2="Windows Workflow Foundation") returned -1 [0091.750] lstrcmpW (lpString1="..", lpString2="Windows Workflow Foundation") returned -1 [0091.750] lstrcmpiW (lpString1="windows", lpString2="Windows Workflow Foundation") returned -1 [0091.750] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*" [0091.750] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*") returned 42 [0091.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\", lpString2="Windows Workflow Foundation" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation" [0091.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0091.750] GlobalMemoryStatus (in: lpBuffer=0x12e1fd08 | out: lpBuffer=0x12e1fd08) [0091.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106683f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x450 [0091.750] CloseHandle (hObject=0x450) returned 1 [0091.750] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x12e1fd28 | out: lpFindFileData=0x12e1fd28) returned 0 [0091.751] FindClose (in: hFindFile=0x10805548 | out: hFindFile=0x10805548) returned 1 Thread: id = 254 os_tid = 0x7d8 [0091.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\*.*", lpFindFileData=0x12f5fd28 | out: lpFindFileData=0x12f5fd28) returned 0x10804e48 [0092.360] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.361] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x12f5fd28 | out: lpFindFileData=0x12f5fd28) returned 1 [0092.361] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.361] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.361] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x12f5fd28 | out: lpFindFileData=0x12f5fd28) returned 1 [0092.361] lstrcmpW (lpString1=".", lpString2="Local") returned -1 [0092.361] lstrcmpW (lpString1="..", lpString2="Local") returned -1 [0092.361] lstrcmpiW (lpString1="windows", lpString2="Local") returned 1 [0092.361] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*.*" [0092.361] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned 32 [0092.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\", lpString2="Local" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local" [0092.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0092.361] GlobalMemoryStatus (in: lpBuffer=0x12f5fd08 | out: lpBuffer=0x12f5fd08) [0092.361] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10bc1680, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d8 [0092.362] CloseHandle (hObject=0x4d8) returned 1 [0092.362] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x12f5fd28 | out: lpFindFileData=0x12f5fd28) returned 1 [0092.362] lstrcmpW (lpString1=".", lpString2="Roaming") returned -1 [0092.362] lstrcmpW (lpString1="..", lpString2="Roaming") returned -1 [0092.362] lstrcmpiW (lpString1="windows", lpString2="Roaming") returned 1 [0092.362] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*.*" [0092.362] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned 32 [0092.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\", lpString2="Roaming" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming" [0092.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*" [0092.362] GlobalMemoryStatus (in: lpBuffer=0x12f5fd08 | out: lpBuffer=0x12f5fd08) [0092.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3dd82c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d8 [0092.363] CloseHandle (hObject=0x4d8) returned 1 [0092.363] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x12f5fd28 | out: lpFindFileData=0x12f5fd28) returned 0 [0092.363] FindClose (in: hFindFile=0x10804e48 | out: hFindFile=0x10804e48) returned 1 Thread: id = 255 os_tid = 0x93c [0091.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*.*", lpFindFileData=0x1309fd28 | out: lpFindFileData=0x1309fd28) returned 0xffffffff Thread: id = 256 os_tid = 0x940 [0091.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*.*", lpFindFileData=0x131dfd28 | out: lpFindFileData=0x131dfd28) returned 0xffffffff Thread: id = 257 os_tid = 0x934 [0091.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*.*", lpFindFileData=0x1331fd28 | out: lpFindFileData=0x1331fd28) returned 0x10804d48 [0092.234] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.235] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x1331fd28 | out: lpFindFileData=0x1331fd28) returned 1 [0092.235] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.235] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x1331fd28 | out: lpFindFileData=0x1331fd28) returned 0 [0092.235] FindClose (in: hFindFile=0x10804d48 | out: hFindFile=0x10804d48) returned 1 Thread: id = 258 os_tid = 0xa2c [0091.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*.*", lpFindFileData=0x1345fd28 | out: lpFindFileData=0x1345fd28) returned 0x2c9e908 [0093.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.372] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x1345fd28 | out: lpFindFileData=0x1345fd28) returned 1 [0093.372] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.372] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x1345fd28 | out: lpFindFileData=0x1345fd28) returned 1 [0093.372] lstrcmpW (lpString1=".", lpString2="My Music") returned -1 [0093.372] lstrcmpW (lpString1="..", lpString2="My Music") returned -1 [0093.373] lstrcmpiW (lpString1="windows", lpString2="My Music") returned 1 [0094.040] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0094.041] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned 34 [0094.041] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\", lpString2="My Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music" [0094.041] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*.*" [0094.041] GlobalMemoryStatus (in: lpBuffer=0x1345fd08 | out: lpBuffer=0x1345fd08) [0094.041] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ee9c58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e4 [0094.042] CloseHandle (hObject=0x4e4) returned 1 [0094.042] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x1345fd28 | out: lpFindFileData=0x1345fd28) returned 1 [0094.042] lstrcmpW (lpString1=".", lpString2="My Pictures") returned -1 [0094.043] lstrcmpW (lpString1="..", lpString2="My Pictures") returned -1 [0094.043] lstrcmpiW (lpString1="windows", lpString2="My Pictures") returned 1 [0094.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0094.048] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned 34 [0094.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\", lpString2="My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures" [0094.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*.*" [0094.048] GlobalMemoryStatus (in: lpBuffer=0x1345fd08 | out: lpBuffer=0x1345fd08) [0094.048] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x213791a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e4 [0094.049] CloseHandle (hObject=0x4e4) returned 1 [0094.049] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x1345fd28 | out: lpFindFileData=0x1345fd28) returned 1 [0094.049] lstrcmpW (lpString1=".", lpString2="My Videos") returned -1 [0094.049] lstrcmpW (lpString1="..", lpString2="My Videos") returned -1 [0094.049] lstrcmpiW (lpString1="windows", lpString2="My Videos") returned 1 [0094.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0094.054] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned 34 [0094.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\", lpString2="My Videos" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos" [0094.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*.*" [0094.054] GlobalMemoryStatus (in: lpBuffer=0x1345fd08 | out: lpBuffer=0x1345fd08) [0094.054] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21391210, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e4 [0094.055] CloseHandle (hObject=0x4e4) returned 1 [0094.055] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x1345fd28 | out: lpFindFileData=0x1345fd28) returned 0 [0094.055] FindClose (in: hFindFile=0x2c9e908 | out: hFindFile=0x2c9e908) returned 1 Thread: id = 259 os_tid = 0xab0 [0091.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*.*", lpFindFileData=0x1359fd28 | out: lpFindFileData=0x1359fd28) returned 0x10804e48 [0092.305] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.305] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x1359fd28 | out: lpFindFileData=0x1359fd28) returned 1 [0092.305] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.305] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.305] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x1359fd28 | out: lpFindFileData=0x1359fd28) returned 0 [0092.305] FindClose (in: hFindFile=0x10804e48 | out: hFindFile=0x10804e48) returned 1 Thread: id = 260 os_tid = 0x938 [0091.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*.*", lpFindFileData=0x136dfd28 | out: lpFindFileData=0x136dfd28) returned 0x10804e48 [0092.305] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.305] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x136dfd28 | out: lpFindFileData=0x136dfd28) returned 1 [0092.305] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.305] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.305] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x136dfd28 | out: lpFindFileData=0x136dfd28) returned 0 [0092.305] FindClose (in: hFindFile=0x10804e48 | out: hFindFile=0x10804e48) returned 1 Thread: id = 261 os_tid = 0xc3c [0091.782] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*.*", lpFindFileData=0x1381fd28 | out: lpFindFileData=0x1381fd28) returned 0x10804e48 [0092.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.304] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x1381fd28 | out: lpFindFileData=0x1381fd28) returned 1 [0092.304] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.304] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.304] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x1381fd28 | out: lpFindFileData=0x1381fd28) returned 0 [0092.304] FindClose (in: hFindFile=0x10804e48 | out: hFindFile=0x10804e48) returned 1 Thread: id = 262 os_tid = 0xb7c [0091.782] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*.*", lpFindFileData=0x1395fd28 | out: lpFindFileData=0x1395fd28) returned 0xffffffff Thread: id = 263 os_tid = 0xf50 [0091.782] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*.*", lpFindFileData=0x13a9fd28 | out: lpFindFileData=0x13a9fd28) returned 0x10804e48 [0092.363] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.364] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x13a9fd28 | out: lpFindFileData=0x13a9fd28) returned 1 [0092.364] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.364] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.364] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x13a9fd28 | out: lpFindFileData=0x13a9fd28) returned 0 [0092.364] FindClose (in: hFindFile=0x10804e48 | out: hFindFile=0x10804e48) returned 1 Thread: id = 264 os_tid = 0xf14 [0091.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*.*", lpFindFileData=0x13bdfd28 | out: lpFindFileData=0x13bdfd28) returned 0xffffffff Thread: id = 265 os_tid = 0xf0c [0091.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*.*", lpFindFileData=0x13d1fd28 | out: lpFindFileData=0x13d1fd28) returned 0xffffffff Thread: id = 266 os_tid = 0xf1c [0091.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*", lpFindFileData=0x13e5fd28 | out: lpFindFileData=0x13e5fd28) returned 0x10805348 [0091.785] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.785] FindNextFileW (in: hFindFile=0x10805348, lpFindFileData=0x13e5fd28 | out: lpFindFileData=0x13e5fd28) returned 1 [0091.785] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.785] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.785] FindNextFileW (in: hFindFile=0x10805348, lpFindFileData=0x13e5fd28 | out: lpFindFileData=0x13e5fd28) returned 1 [0091.785] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*" [0091.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*") returned 54 [0091.785] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\How To Restore Files.hta" [0091.785] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\how to restore files.hta")) returned 0xffffffff [0091.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b0 [0092.070] WriteFile (in: hFile=0x4b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x13e5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x13e5fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.070] CloseHandle (hObject=0x4b0) returned 1 [0092.071] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.071] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="IntegratedOffice.exe") returned -1 [0092.071] lstrlenW (lpString="IntegratedOffice.exe") returned 20 [0092.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*" [0092.071] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\*.*") returned 54 [0092.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\", lpString2="IntegratedOffice.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe" [0092.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe" [0092.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe id-Br3n0G72wUb8CejT.LyaS" [0092.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\integratedoffice.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\integratedoffice.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0092.072] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\integratedoffice.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b0 [0092.072] CreateFileMappingA (hFile=0x4b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4b4 [0092.073] CryptAcquireContextA (in: phProv=0x13e5fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x13e5fce4*=0x5d1ad0) returned 1 [0092.073] CryptGenKey (in: hProv=0x5d1ad0, Algid=0x6610, dwFlags=0x1, phKey=0x13e5fce0 | out: phKey=0x13e5fce0*=0x10804b08) returned 1 [0092.073] CryptExportKey (in: hKey=0x10804b08, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x13e5fbdc, pdwDataLen=0x13e5fcdc | out: pbData=0x13e5fbdc*, pdwDataLen=0x13e5fcdc*=0x2c) returned 1 [0092.073] MapViewOfFile (hFileMappingObject=0x4b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x63d0000 [0093.279] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x13e5fbdc*, pdwDataLen=0x13e5fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x13e5fbdc*, pdwDataLen=0x13e5fcf0*=0x100) returned 1 [0093.279] CryptEncrypt (in: hKey=0x10804b08, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x63d0000, pdwDataLen=0x13e5fcdc*=0x100000, dwBufLen=0x100000 | out: pbData=0x63d0000*, pdwDataLen=0x13e5fcdc*=0x100000) returned 1 [0094.191] UnmapViewOfFile (lpBaseAddress=0x63d0000) returned 1 [0094.201] CloseHandle (hObject=0x4b4) returned 1 [0094.201] CryptDestroyKey (hKey=0x10804b08) returned 1 [0094.201] CryptReleaseContext (hProv=0x5d1ad0, dwFlags=0x0) returned 1 [0094.201] SetFilePointerEx (in: hFile=0x4b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.201] WriteFile (in: hFile=0x4b0, lpBuffer=0x13e5fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x13e5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x13e5fbdc*, lpNumberOfBytesWritten=0x13e5fcf0*=0x100, lpOverlapped=0x0) returned 1 [0096.219] WriteFile (in: hFile=0x4b0, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x13e5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x13e5fcf0*=0x500, lpOverlapped=0x0) returned 1 [0096.219] CloseHandle (hObject=0x4b0) Thread: id = 267 os_tid = 0xf24 [0091.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*", lpFindFileData=0x13f5fd28 | out: lpFindFileData=0x13f5fd28) returned 0x10805388 [0091.786] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.786] FindNextFileW (in: hFindFile=0x10805388, lpFindFileData=0x13f5fd28 | out: lpFindFileData=0x13f5fd28) returned 1 [0091.786] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.787] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.787] FindNextFileW (in: hFindFile=0x10805388, lpFindFileData=0x13f5fd28 | out: lpFindFileData=0x13f5fd28) returned 1 [0091.787] lstrcmpW (lpString1=".", lpString2="Framework") returned -1 [0091.787] lstrcmpW (lpString1="..", lpString2="Framework") returned -1 [0091.787] lstrcmpiW (lpString1="windows", lpString2="Framework") returned 1 [0091.787] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*" [0091.787] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*") returned 55 [0091.787] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\", lpString2="Framework" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework" [0091.787] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0091.787] GlobalMemoryStatus (in: lpBuffer=0x13f5fd08 | out: lpBuffer=0x13f5fd08) [0091.787] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cd13c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x450 [0091.788] CloseHandle (hObject=0x450) returned 1 [0091.788] FindNextFileW (in: hFindFile=0x10805388, lpFindFileData=0x13f5fd28 | out: lpFindFileData=0x13f5fd28) returned 0 [0091.788] FindClose (in: hFindFile=0x10805388 | out: hFindFile=0x10805388) returned 1 Thread: id = 268 os_tid = 0xf38 [0091.799] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*", lpFindFileData=0x1405fd28 | out: lpFindFileData=0x1405fd28) returned 0x10804ec8 [0092.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.372] FindNextFileW (in: hFindFile=0x10804ec8, lpFindFileData=0x1405fd28 | out: lpFindFileData=0x1405fd28) returned 1 [0092.372] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.372] FindNextFileW (in: hFindFile=0x10804ec8, lpFindFileData=0x1405fd28 | out: lpFindFileData=0x1405fd28) returned 1 [0092.372] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*" [0092.372] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*") returned 39 [0092.372] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\AccountPictures\\How To Restore Files.hta" [0092.372] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\How To Restore Files.hta" (normalized: "c:\\users\\public\\accountpictures\\how to restore files.hta")) returned 0xffffffff [0092.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\How To Restore Files.hta" (normalized: "c:\\users\\public\\accountpictures\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ac [0094.548] WriteFile (in: hFile=0x4ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1405fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1405fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.549] CloseHandle (hObject=0x4ac) returned 1 [0094.549] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0095.176] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0095.176] lstrlenW (lpString="desktop.ini") returned 11 [0095.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*" [0095.176] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\AccountPictures\\*.*") returned 39 [0095.176] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini" [0095.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini" [0095.176] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0095.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0095.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0095.178] CreateFileMappingA (hFile=0x320, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0095.178] CryptAcquireContextA (in: phProv=0x1405fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1405fce4*=0x1083cb08) returned 1 [0095.178] CryptGenKey (in: hProv=0x1083cb08, Algid=0x6610, dwFlags=0x1, phKey=0x1405fce0 | out: phKey=0x1405fce0*=0x5c8e10) returned 1 [0095.178] CryptExportKey (in: hKey=0x5c8e10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1405fbdc, pdwDataLen=0x1405fcdc | out: pbData=0x1405fbdc*, pdwDataLen=0x1405fcdc*=0x2c) returned 1 [0095.178] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc0) returned 0x4dc0000 [0095.184] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1405fbdc*, pdwDataLen=0x1405fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1405fbdc*, pdwDataLen=0x1405fcf0*=0x100) returned 1 [0095.185] CryptEncrypt (in: hKey=0x5c8e10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dc0000*, pdwDataLen=0x1405fcdc*=0xc0, dwBufLen=0xc0 | out: pbData=0x4dc0000*, pdwDataLen=0x1405fcdc*=0xc0) returned 1 [0095.185] UnmapViewOfFile (lpBaseAddress=0x4dc0000) returned 1 [0095.185] CloseHandle (hObject=0x5b4) returned 1 [0095.185] CryptDestroyKey (hKey=0x5c8e10) returned 1 [0095.185] CryptReleaseContext (hProv=0x1083cb08, dwFlags=0x0) returned 1 [0095.185] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.185] WriteFile (in: hFile=0x320, lpBuffer=0x1405fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1405fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1405fbdc*, lpNumberOfBytesWritten=0x1405fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.186] WriteFile (in: hFile=0x320, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1405fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1405fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.189] CloseHandle (hObject=0x320) returned 1 [0095.195] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.195] FindNextFileW (in: hFindFile=0x10804ec8, lpFindFileData=0x1405fd28 | out: lpFindFileData=0x1405fd28) returned 0 [0095.196] FindClose (in: hFindFile=0x10804ec8 | out: hFindFile=0x10804ec8) returned 1 Thread: id = 269 os_tid = 0xf20 [0091.799] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\*.*", lpFindFileData=0x1415fd28 | out: lpFindFileData=0x1415fd28) returned 0x10805388 [0091.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.799] FindNextFileW (in: hFindFile=0x10805388, lpFindFileData=0x1415fd28 | out: lpFindFileData=0x1415fd28) returned 1 [0091.800] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.800] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.800] FindNextFileW (in: hFindFile=0x10805388, lpFindFileData=0x1415fd28 | out: lpFindFileData=0x1415fd28) returned 1 [0091.800] lstrcpyW (in: lpString1=0x3df8330, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" [0091.800] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned 31 [0091.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\Desktop\\How To Restore Files.hta" [0091.800] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\How To Restore Files.hta" (normalized: "c:\\users\\public\\desktop\\how to restore files.hta")) returned 0xffffffff [0091.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\How To Restore Files.hta" (normalized: "c:\\users\\public\\desktop\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0092.235] WriteFile (in: hFile=0x42c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1415fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1415fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.236] CloseHandle (hObject=0x42c) returned 1 [0093.298] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.885] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Acrobat Reader DC.lnk") returned 1 [0094.885] lstrlenW (lpString="Acrobat Reader DC.lnk") returned 21 [0094.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" [0094.886] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned 31 [0094.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\", lpString2="Acrobat Reader DC.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" [0094.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" [0094.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk id-Br3n0G72wUb8CejT.LyaS" [0094.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" (normalized: "c:\\users\\public\\desktop\\acrobat reader dc.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\desktop\\acrobat reader dc.lnk id-br3n0g72wub8cejt.lyas")) returned 1 [0096.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\desktop\\acrobat reader dc.lnk id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0096.315] CreateFileMappingA (hFile=0x45c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x584 [0096.316] CryptAcquireContextA (in: phProv=0x1415fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1415fce4*=0x1083d410) returned 1 [0096.316] CryptGenKey (in: hProv=0x1083d410, Algid=0x6610, dwFlags=0x1, phKey=0x1415fce0 | out: phKey=0x1415fce0*=0x5c8750) returned 1 [0097.365] CryptExportKey (in: hKey=0x5c8750, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1415fbdc, pdwDataLen=0x1415fcdc | out: pbData=0x1415fbdc*, pdwDataLen=0x1415fcdc*=0x2c) returned 1 [0097.365] MapViewOfFile (hFileMappingObject=0x584, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x840) returned 0x31d0000 [0097.991] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1415fbdc*, pdwDataLen=0x1415fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1415fbdc*, pdwDataLen=0x1415fcf0*=0x100) returned 1 [0097.991] CryptEncrypt (in: hKey=0x5c8750, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000*, pdwDataLen=0x1415fcdc*=0x840, dwBufLen=0x840 | out: pbData=0x31d0000*, pdwDataLen=0x1415fcdc*=0x840) returned 1 [0097.991] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0097.991] CloseHandle (hObject=0x584) returned 1 [0097.991] CryptDestroyKey (hKey=0x5c8750) returned 1 [0097.991] CryptReleaseContext (hProv=0x1083d410, dwFlags=0x0) returned 1 [0097.992] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.992] WriteFile (in: hFile=0x45c, lpBuffer=0x1415fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1415fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1415fbdc*, lpNumberOfBytesWritten=0x1415fcf0*=0x100, lpOverlapped=0x0) returned 1 [0100.998] WriteFile (in: hFile=0x45c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1415fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1415fcf0*=0x500, lpOverlapped=0x0) returned 1 [0100.998] CloseHandle (hObject=0x45c) Thread: id = 270 os_tid = 0xf48 [0091.800] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*", lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 0x10805408 [0091.800] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.800] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 1 [0091.800] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.800] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.800] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 1 [0091.800] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0091.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0091.800] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" [0091.801] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\en-us\\how to restore files.hta")) returned 0xffffffff [0091.801] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0094.123] WriteFile (in: hFile=0x324, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1429fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1429fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.465] CloseHandle (hObject=0x324) returned 1 [0094.505] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0095.357] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="JNTFiltr.dll.mui") returned -1 [0095.357] lstrlenW (lpString="JNTFiltr.dll.mui") returned 16 [0095.357] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.357] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="JNTFiltr.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui" [0095.357] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui" [0095.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0095.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui" (normalized: "c:\\program files\\windows journal\\en-us\\jntfiltr.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\en-us\\jntfiltr.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.358] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 1 [0095.358] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" [0095.358] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\en-us\\how to restore files.hta")) returned 0x1 [0095.358] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="jnwdui.dll.mui") returned -1 [0095.358] lstrlenW (lpString="jnwdui.dll.mui") returned 14 [0095.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="jnwdui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui" [0095.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui" [0095.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0095.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui" (normalized: "c:\\program files\\windows journal\\en-us\\jnwdui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\en-us\\jnwdui.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.484] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 1 [0095.484] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.484] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" [0095.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\en-us\\how to restore files.hta")) returned 0x1 [0095.484] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="jnwmon.dll.mui") returned -1 [0095.484] lstrlenW (lpString="jnwmon.dll.mui") returned 14 [0095.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.484] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="jnwmon.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui" [0095.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui" [0095.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0095.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui" (normalized: "c:\\program files\\windows journal\\en-us\\jnwmon.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\en-us\\jnwmon.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.485] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 1 [0095.485] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.485] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" [0095.485] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\en-us\\how to restore files.hta")) returned 0x1 [0095.485] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Journal.exe.mui") returned -1 [0095.485] lstrlenW (lpString="Journal.exe.mui") returned 15 [0095.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.485] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Journal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui" [0095.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui" [0095.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0095.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui" (normalized: "c:\\program files\\windows journal\\en-us\\journal.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\en-us\\journal.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.486] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 1 [0095.486] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.486] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" [0095.486] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\en-us\\how to restore files.hta")) returned 0x1 [0095.486] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MSPVWCTL.DLL.mui") returned -1 [0095.486] lstrlenW (lpString="MSPVWCTL.DLL.mui") returned 16 [0095.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.486] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="MSPVWCTL.DLL.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui" [0095.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui" [0095.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui id-Br3n0G72wUb8CejT.LyaS" [0095.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui" (normalized: "c:\\program files\\windows journal\\en-us\\mspvwctl.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\en-us\\mspvwctl.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.487] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 1 [0095.487] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.487] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" [0095.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\en-us\\how to restore files.hta")) returned 0x1 [0095.487] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="NBMapTIP.dll.mui") returned -1 [0095.487] lstrlenW (lpString="NBMapTIP.dll.mui") returned 16 [0095.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.487] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="NBMapTIP.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui" [0095.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui" [0095.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0095.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui" (normalized: "c:\\program files\\windows journal\\en-us\\nbmaptip.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\en-us\\nbmaptip.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.488] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 1 [0095.488] lstrcpyW (in: lpString1=0x3e00338, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.488] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.488] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" [0095.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\en-us\\how to restore files.hta")) returned 0x1 [0095.488] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PDIALOG.exe.mui") returned -1 [0095.488] lstrlenW (lpString="PDIALOG.exe.mui") returned 15 [0095.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0095.488] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0095.488] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="PDIALOG.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui" [0095.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui" [0095.488] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0095.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui" (normalized: "c:\\program files\\windows journal\\en-us\\pdialog.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\en-us\\pdialog.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.489] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x1429fd28 | out: lpFindFileData=0x1429fd28) returned 0 [0095.489] FindClose (in: hFindFile=0x10805408 | out: hFindFile=0x10805408) returned 1 Thread: id = 271 os_tid = 0xd88 [0091.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*", lpFindFileData=0x143dfd28 | out: lpFindFileData=0x143dfd28) returned 0x10805448 [0091.802] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.802] FindNextFileW (in: hFindFile=0x10805448, lpFindFileData=0x143dfd28 | out: lpFindFileData=0x143dfd28) returned 1 [0091.802] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.802] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.802] FindNextFileW (in: hFindFile=0x10805448, lpFindFileData=0x143dfd28 | out: lpFindFileData=0x143dfd28) returned 1 [0091.802] lstrcpyW (in: lpString1=0x3e08340, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0091.802] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned 43 [0091.802] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\How To Restore Files.hta" [0091.802] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\en-us\\how to restore files.hta")) returned 0xffffffff [0091.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0094.123] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x143dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x143dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.466] CloseHandle (hObject=0x33c) returned 1 [0094.505] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0095.526] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msoeres.dll.mui") returned -1 [0095.526] lstrlenW (lpString="msoeres.dll.mui") returned 15 [0095.526] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0095.526] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned 43 [0095.526] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\", lpString2="msoeres.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui" [0095.526] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui" [0095.526] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0095.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui" (normalized: "c:\\program files\\windows mail\\en-us\\msoeres.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\en-us\\msoeres.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.527] FindNextFileW (in: hFindFile=0x10805448, lpFindFileData=0x143dfd28 | out: lpFindFileData=0x143dfd28) returned 1 [0095.527] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0095.527] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned 43 [0095.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\How To Restore Files.hta" [0095.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows mail\\en-us\\how to restore files.hta")) returned 0x1 [0095.527] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WinMail.exe.mui") returned -1 [0095.527] lstrlenW (lpString="WinMail.exe.mui") returned 15 [0095.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0095.527] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned 43 [0095.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\", lpString2="WinMail.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui" [0095.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui" [0095.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0095.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui" (normalized: "c:\\program files\\windows mail\\en-us\\winmail.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows mail\\en-us\\winmail.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0095.528] FindNextFileW (in: hFindFile=0x10805448, lpFindFileData=0x143dfd28 | out: lpFindFileData=0x143dfd28) returned 0 [0095.528] FindClose (in: hFindFile=0x10805448 | out: hFindFile=0x10805448) returned 1 Thread: id = 272 os_tid = 0xf10 [0091.803] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*", lpFindFileData=0x1451fd28 | out: lpFindFileData=0x1451fd28) returned 0x10805488 [0091.803] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.803] FindNextFileW (in: hFindFile=0x10805488, lpFindFileData=0x1451fd28 | out: lpFindFileData=0x1451fd28) returned 1 [0091.803] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.803] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.803] FindNextFileW (in: hFindFile=0x10805488, lpFindFileData=0x1451fd28 | out: lpFindFileData=0x1451fd28) returned 1 [0091.803] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0091.803] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0091.803] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0091.804] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0091.804] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0091.804] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US" [0091.804] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*" [0091.804] GlobalMemoryStatus (in: lpBuffer=0x1451fd08 | out: lpBuffer=0x1451fd08) [0091.804] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c30118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x460 [0091.805] CloseHandle (hObject=0x460) returned 1 [0091.805] FindNextFileW (in: hFindFile=0x10805488, lpFindFileData=0x1451fd28 | out: lpFindFileData=0x1451fd28) returned 1 [0091.807] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0091.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0091.807] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\How To Restore Files.hta" [0091.807] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\accessories\\how to restore files.hta")) returned 0xffffffff [0091.807] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\accessories\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0092.085] WriteFile (in: hFile=0x42c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1451fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1451fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.087] CloseHandle (hObject=0x42c) returned 1 [0092.087] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.087] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wordpad.exe") returned -1 [0092.087] lstrlenW (lpString="wordpad.exe") returned 11 [0092.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0092.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0092.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="wordpad.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe" [0092.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe" [0092.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe id-Br3n0G72wUb8CejT.LyaS" [0092.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe" (normalized: "c:\\program files\\windows nt\\accessories\\wordpad.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\accessories\\wordpad.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0092.088] FindNextFileW (in: hFindFile=0x10805488, lpFindFileData=0x1451fd28 | out: lpFindFileData=0x1451fd28) returned 1 [0092.088] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0092.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0092.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\How To Restore Files.hta" [0092.088] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\accessories\\how to restore files.hta")) returned 0x1 [0092.088] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WordpadFilter.dll") returned -1 [0092.088] lstrlenW (lpString="WordpadFilter.dll") returned 17 [0092.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0092.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0092.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="WordpadFilter.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll" [0092.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll" [0092.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll id-Br3n0G72wUb8CejT.LyaS" [0092.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll" (normalized: "c:\\program files\\windows nt\\accessories\\wordpadfilter.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\accessories\\wordpadfilter.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0092.088] FindNextFileW (in: hFindFile=0x10805488, lpFindFileData=0x1451fd28 | out: lpFindFileData=0x1451fd28) returned 0 [0092.088] FindClose (in: hFindFile=0x10805488 | out: hFindFile=0x10805488) returned 1 Thread: id = 273 os_tid = 0xc90 [0091.808] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1465fd28 | out: lpFindFileData=0x1465fd28) returned 0x2c9ec48 [0093.663] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.663] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1465fd28 | out: lpFindFileData=0x1465fd28) returned 1 [0093.663] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.663] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.663] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1465fd28 | out: lpFindFileData=0x1465fd28) returned 1 [0093.663] lstrcpyW (in: lpString1=0x10dbdf10, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*" [0093.664] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\*.*") returned 100 [0093.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0093.664] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.net.native.runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.664] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.net.native.runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.357] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1465fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1465fcf0, lpOverlapped=0x0) returned 0 [0094.357] CloseHandle (hObject=0xffffffff) returned 1 [0094.357] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 274 os_tid = 0x510 [0091.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1479fd28 | out: lpFindFileData=0x1479fd28) returned 0x2c9ec08 [0093.661] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.661] FindNextFileW (in: hFindFile=0x2c9ec08, lpFindFileData=0x1479fd28 | out: lpFindFileData=0x1479fd28) returned 1 [0093.661] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.661] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.662] FindNextFileW (in: hFindFile=0x2c9ec08, lpFindFileData=0x1479fd28 | out: lpFindFileData=0x1479fd28) returned 1 [0093.662] lstrcpyW (in: lpString1=0x3ef8080, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*" [0093.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\*.*") returned 100 [0093.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0093.662] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.net.native.runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.net.native.runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.356] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1479fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1479fcf0, lpOverlapped=0x0) returned 0 [0094.356] CloseHandle (hObject=0xffffffff) returned 1 [0094.356] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 275 os_tid = 0xc8c [0091.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 0x2c9f048 [0093.415] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.415] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0094.288] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.288] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.288] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0094.288] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0094.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0094.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.288] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.365] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0094.365] CloseHandle (hObject=0xffffffff) returned 1 [0094.365] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.723] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="adalrt.dll") returned 1 [0095.723] lstrlenW (lpString="adalrt.dll") returned 10 [0095.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0095.723] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0095.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="adalrt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll" [0095.724] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll" [0095.724] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll id-Br3n0G72wUb8CejT.LyaS" [0095.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\adalrt.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.754] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0095.754] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0095.754] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0095.754] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0095.755] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0095.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.372] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0096.372] CloseHandle (hObject=0xffffffff) returned 1 [0096.372] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.198] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="App.xaml") returned 1 [0097.198] lstrlenW (lpString="App.xaml") returned 8 [0097.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0097.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0097.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="App.xaml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml" [0097.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml" [0097.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml id-Br3n0G72wUb8CejT.LyaS" [0097.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\app.xaml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\App.xaml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\app.xaml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.198] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0097.198] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0097.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0097.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.199] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.199] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.199] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0097.199] CloseHandle (hObject=0xffffffff) returned 1 [0097.199] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.199] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0097.199] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0097.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0097.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0097.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0097.200] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0097.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0097.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.200] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0097.200] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0097.200] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0097.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.200] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.201] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0097.201] CloseHandle (hObject=0xffffffff) returned 1 [0097.201] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.201] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.201] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.201] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0097.201] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0097.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.201] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0098.054] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0098.054] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0098.054] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0098.054] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0098.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0098.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0098.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata" [0098.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0098.098] GlobalMemoryStatus (in: lpBuffer=0x148dfd08 | out: lpBuffer=0x148dfd08) [0098.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21631d70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x584 [0098.099] CloseHandle (hObject=0x584) returned 1 [0098.099] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0098.099] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0098.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0098.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.099] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.099] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.100] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0098.100] CloseHandle (hObject=0xffffffff) returned 1 [0098.100] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.100] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0098.100] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0098.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0098.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0098.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0098.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0098.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0098.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0098.209] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0098.209] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0098.209] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0098.209] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.209] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.210] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0098.210] CloseHandle (hObject=0xffffffff) returned 1 [0098.210] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.210] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="autstbim.dll") returned 1 [0098.210] lstrlenW (lpString="autstbim.dll") returned 12 [0098.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0098.210] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0098.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="autstbim.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll" [0098.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll" [0098.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll id-Br3n0G72wUb8CejT.LyaS" [0098.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\autstbim.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.211] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0098.211] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0098.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0098.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.211] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.212] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.212] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0098.212] CloseHandle (hObject=0xffffffff) returned 1 [0098.212] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.213] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="CsiImm.dll") returned 1 [0098.213] lstrlenW (lpString="CsiImm.dll") returned 10 [0098.213] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0098.213] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0098.213] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="CsiImm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll" [0098.213] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll" [0098.213] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll id-Br3n0G72wUb8CejT.LyaS" [0098.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\csiimm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\CsiImm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\csiimm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.208] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.208] lstrcmpW (lpString1=".", lpString2="en-gb") returned -1 [0099.208] lstrcmpW (lpString1="..", lpString2="en-gb") returned -1 [0099.208] lstrcmpiW (lpString1="windows", lpString2="en-gb") returned 1 [0099.326] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.326] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.326] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="en-gb" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-gb") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-gb" [0099.326] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-gb", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0099.326] GlobalMemoryStatus (in: lpBuffer=0x148dfd08 | out: lpBuffer=0x148dfd08) [0099.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1111edb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.326] CloseHandle (hObject=0x548) returned 1 [0099.327] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.327] lstrcmpW (lpString1=".", lpString2="en-us") returned -1 [0099.327] lstrcmpW (lpString1="..", lpString2="en-us") returned -1 [0099.327] lstrcmpiW (lpString1="windows", lpString2="en-us") returned 1 [0099.331] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.331] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.331] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="en-us" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-us") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-us" [0099.331] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-us", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-us\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\en-us\\*.*" [0099.331] GlobalMemoryStatus (in: lpBuffer=0x148dfd08 | out: lpBuffer=0x148dfd08) [0099.331] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21982bb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.332] CloseHandle (hObject=0x548) returned 1 [0099.332] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.332] lstrcmpW (lpString1=".", lpString2="font") returned -1 [0099.332] lstrcmpW (lpString1="..", lpString2="font") returned -1 [0099.332] lstrcmpiW (lpString1="windows", lpString2="font") returned 1 [0099.336] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.336] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.336] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="font" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\font") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\font" [0099.336] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\font", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\font\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\font\\*.*" [0099.336] GlobalMemoryStatus (in: lpBuffer=0x148dfd08 | out: lpBuffer=0x148dfd08) [0099.336] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2199ac18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.337] CloseHandle (hObject=0x548) returned 1 [0099.337] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.337] lstrcmpW (lpString1=".", lpString2="fonts") returned -1 [0099.337] lstrcmpW (lpString1="..", lpString2="fonts") returned -1 [0099.337] lstrcmpiW (lpString1="windows", lpString2="fonts") returned 1 [0099.343] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="fonts" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\fonts") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\fonts" [0099.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\fonts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\fonts\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\fonts\\*.*" [0099.343] GlobalMemoryStatus (in: lpBuffer=0x148dfd08 | out: lpBuffer=0x148dfd08) [0099.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x219b2c80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.344] CloseHandle (hObject=0x548) returned 1 [0099.344] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.344] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0099.344] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0099.344] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0099.349] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.349] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\images") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\images" [0099.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\images\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\images\\*.*" [0099.349] GlobalMemoryStatus (in: lpBuffer=0x148dfd08 | out: lpBuffer=0x148dfd08) [0099.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x219cace8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.350] CloseHandle (hObject=0x548) returned 1 [0099.350] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.350] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0099.350] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0099.350] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0099.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.356] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0099.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0099.356] GlobalMemoryStatus (in: lpBuffer=0x148dfd08 | out: lpBuffer=0x148dfd08) [0099.356] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x219e2d50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.357] CloseHandle (hObject=0x548) returned 1 [0099.357] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.357] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.357] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.358] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.358] CloseHandle (hObject=0xffffffff) returned 1 [0099.358] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.359] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msipcm.dll") returned -1 [0099.359] lstrlenW (lpString="msipcm.dll") returned 10 [0099.359] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.359] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.359] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="msipcm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll" [0099.359] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll" [0099.359] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll id-Br3n0G72wUb8CejT.LyaS" [0099.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msipcm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.424] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.425] lstrcpyW (in: lpString1=0x21a93030, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.425] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.426] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.426] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.426] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.426] CloseHandle (hObject=0xffffffff) returned 1 [0099.427] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.427] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mso0127.acl") returned -1 [0099.427] lstrlenW (lpString="mso0127.acl") returned 11 [0099.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.427] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="mso0127.acl" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl" [0099.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl" [0099.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl id-Br3n0G72wUb8CejT.LyaS" [0099.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso0127.acl id-br3n0g72wub8cejt.lyas")) returned 0 [0099.428] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.428] lstrcpyW (in: lpString1=0x21a93030, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.428] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.429] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.429] CloseHandle (hObject=0xffffffff) returned 1 [0099.429] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.429] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mso20imm.dll") returned -1 [0099.429] lstrlenW (lpString="mso20imm.dll") returned 12 [0099.429] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="mso20imm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll" [0099.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll" [0099.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll id-Br3n0G72wUb8CejT.LyaS" [0099.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso20imm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.452] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.453] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.453] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.453] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.453] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.453] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.453] CloseHandle (hObject=0xffffffff) returned 1 [0099.453] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.454] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mso30imm.dll") returned -1 [0099.454] lstrlenW (lpString="mso30imm.dll") returned 12 [0099.454] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.454] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="mso30imm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll" [0099.454] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll" [0099.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll id-Br3n0G72wUb8CejT.LyaS" [0099.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\mso30imm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.456] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.456] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.456] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.456] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.456] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.457] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.457] CloseHandle (hObject=0xffffffff) returned 1 [0099.457] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.457] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msoimm.dll") returned -1 [0099.457] lstrlenW (lpString="msoimm.dll") returned 10 [0099.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="msoimm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll" [0099.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll" [0099.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll id-Br3n0G72wUb8CejT.LyaS" [0099.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msoimm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.458] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.458] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.458] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.458] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.459] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.459] CloseHandle (hObject=0xffffffff) returned 1 [0099.459] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.459] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msproof7imm.dll") returned -1 [0099.459] lstrlenW (lpString="msproof7imm.dll") returned 15 [0099.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.459] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="msproof7imm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll" [0099.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll" [0099.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll id-Br3n0G72wUb8CejT.LyaS" [0099.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msproof7imm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.460] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.460] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.460] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.460] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.461] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.461] CloseHandle (hObject=0xffffffff) returned 1 [0099.461] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.461] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msptlsimm.dll") returned -1 [0099.461] lstrlenW (lpString="msptlsimm.dll") returned 13 [0099.461] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.461] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="msptlsimm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll" [0099.461] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll" [0099.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll id-Br3n0G72wUb8CejT.LyaS" [0099.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\msptlsimm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.463] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.463] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.463] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.463] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.463] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.463] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.463] CloseHandle (hObject=0xffffffff) returned 1 [0099.463] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.464] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="office.odf") returned -1 [0099.464] lstrlenW (lpString="office.odf") returned 10 [0099.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.464] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="office.odf" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf" [0099.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf" [0099.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf id-Br3n0G72wUb8CejT.LyaS" [0099.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.odf id-br3n0g72wub8cejt.lyas")) returned 0 [0099.465] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.465] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.465] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.465] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.465] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.465] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.465] CloseHandle (hObject=0xffffffff) returned 1 [0099.465] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.466] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Office.UI.Xaml.Core.dll") returned -1 [0099.466] lstrlenW (lpString="Office.UI.Xaml.Core.dll") returned 23 [0099.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.466] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="Office.UI.Xaml.Core.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll" [0099.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll" [0099.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll id-Br3n0G72wUb8CejT.LyaS" [0099.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.ui.xaml.core.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.Core.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.ui.xaml.core.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.466] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.466] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.466] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.466] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.467] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x148dfcf0, lpOverlapped=0x0) returned 0 [0099.467] CloseHandle (hObject=0xffffffff) returned 1 [0099.467] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.467] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Office.UI.Xaml.OneNote.dll") returned -1 [0099.467] lstrlenW (lpString="Office.UI.Xaml.OneNote.dll") returned 26 [0099.467] lstrcmpiW (lpString1=".LyaS", lpString2="e.dll") returned -1 [0099.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.467] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="Office.UI.Xaml.OneNote.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll" [0099.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll" [0099.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll id-Br3n0G72wUb8CejT.LyaS" [0099.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.ui.xaml.onenote.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\Office.UI.Xaml.OneNote.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\office.ui.xaml.onenote.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.592] FindNextFileW (in: hFindFile=0x2c9f048, lpFindFileData=0x148dfd28 | out: lpFindFileData=0x148dfd28) returned 1 [0099.592] lstrcpyW (in: lpString1=0x21b43270, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*" [0099.592] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\*.*") returned 96 [0099.592] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.592] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 276 os_tid = 0x890 [0091.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x14a1fd28 | out: lpFindFileData=0x14a1fd28) returned 0x2c9eb48 [0093.660] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.660] FindNextFileW (in: hFindFile=0x2c9eb48, lpFindFileData=0x14a1fd28 | out: lpFindFileData=0x14a1fd28) returned 1 [0093.660] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.660] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.660] FindNextFileW (in: hFindFile=0x2c9eb48, lpFindFileData=0x14a1fd28 | out: lpFindFileData=0x14a1fd28) returned 1 [0093.660] lstrcpyW (in: lpString1=0x3ee8070, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.660] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 103 [0093.660] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.660] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.356] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x14a1fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14a1fcf0, lpOverlapped=0x0) returned 0 [0094.356] CloseHandle (hObject=0xffffffff) returned 1 [0094.356] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 277 os_tid = 0xc84 [0091.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\*.*", lpFindFileData=0x14b5fd28 | out: lpFindFileData=0x14b5fd28) returned 0x2c9eb88 [0093.652] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.652] FindNextFileW (in: hFindFile=0x2c9eb88, lpFindFileData=0x14b5fd28 | out: lpFindFileData=0x14b5fd28) returned 1 [0093.652] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.652] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.652] FindNextFileW (in: hFindFile=0x2c9eb88, lpFindFileData=0x14b5fd28 | out: lpFindFileData=0x14b5fd28) returned 1 [0093.652] lstrcpyW (in: lpString1=0x11543e10, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\*.*" [0093.652] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\*.*") returned 103 [0093.652] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.652] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.people_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.652] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.people_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.355] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x14b5fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14b5fcf0, lpOverlapped=0x0) returned 0 [0094.355] CloseHandle (hObject=0xffffffff) returned 1 [0094.355] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 278 os_tid = 0x820 [0091.872] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x14c9fd28 | out: lpFindFileData=0x14c9fd28) returned 0x2c9f008 [0093.413] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.413] FindNextFileW (in: hFindFile=0x2c9f008, lpFindFileData=0x14c9fd28 | out: lpFindFileData=0x14c9fd28) returned 1 [0093.414] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.414] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.415] FindNextFileW (in: hFindFile=0x2c9f008, lpFindFileData=0x14c9fd28 | out: lpFindFileData=0x14c9fd28) returned 1 [0093.766] lstrcpyW (in: lpString1=0x21068588, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*" [0093.766] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*") returned 84 [0093.766] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0093.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.people_1.10159.0.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.people_1.10159.0.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.360] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x14c9fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14c9fcf0, lpOverlapped=0x0) returned 0 [0094.360] CloseHandle (hObject=0xffffffff) returned 1 [0094.360] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.830] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="App.xbf") returned 1 [0095.830] lstrlenW (lpString="App.xbf") returned 7 [0095.830] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*" [0095.830] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\*.*") returned 84 [0095.830] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\", lpString2="App.xbf" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf" [0095.830] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf" [0095.830] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf id-Br3n0G72wUb8CejT.LyaS" [0095.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf" (normalized: "c:\\program files\\windowsapps\\microsoft.people_1.10159.0.0_x64__8wekyb3d8bbwe\\app.xbf"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\\App.xbf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.people_1.10159.0.0_x64__8wekyb3d8bbwe\\app.xbf id-br3n0g72wub8cejt.lyas")) returned 0 [0095.921] FindNextFileW (in: hFindFile=0x2c9f008, lpFindFileData=0x14c9fd28 | out: lpFindFileData=0x14c9fd28) returned 1 Thread: id = 279 os_tid = 0xc80 [0091.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x14ddfd28 | out: lpFindFileData=0x14ddfd28) returned 0x5c8d50 [0094.296] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.296] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x14ddfd28 | out: lpFindFileData=0x14ddfd28) returned 1 [0094.296] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.296] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.296] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x14ddfd28 | out: lpFindFileData=0x14ddfd28) returned 1 [0094.838] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" [0094.838] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 92 [0094.838] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0094.838] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.people_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.people_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.840] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x14ddfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14ddfcf0, lpOverlapped=0x0) returned 0 [0094.840] CloseHandle (hObject=0xffffffff) returned 1 [0094.840] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0094.840] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0094.840] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0094.840] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" [0094.840] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 92 [0094.840] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0094.840] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0094.840] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0094.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.people_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.people_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.299] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x14ddfd28 | out: lpFindFileData=0x14ddfd28) returned 1 [0096.299] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0096.299] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0096.300] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0098.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" [0098.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 92 [0098.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0098.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0098.252] GlobalMemoryStatus (in: lpBuffer=0x14ddfd08 | out: lpBuffer=0x14ddfd08) [0098.252] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x109f8ec8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5e8 [0098.253] CloseHandle (hObject=0x5e8) returned 1 [0098.253] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x14ddfd28 | out: lpFindFileData=0x14ddfd28) returned 1 [0098.253] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" [0098.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 92 [0098.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0098.253] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.people_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.253] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.people_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.254] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x14ddfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14ddfcf0, lpOverlapped=0x0) returned 0 [0098.254] CloseHandle (hObject=0xffffffff) returned 1 [0098.254] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.254] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0098.254] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0098.255] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" [0098.255] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 92 [0098.255] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0098.255] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0098.255] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0098.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.people_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.people_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0098.398] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x14ddfd28 | out: lpFindFileData=0x14ddfd28) returned 1 [0098.398] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0098.398] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0098.398] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0098.398] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*" [0098.398] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 92 [0098.398] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0098.398] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0098.398] GlobalMemoryStatus (in: lpBuffer=0x14ddfd08 | out: lpBuffer=0x14ddfd08) [0098.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11136e18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x538 [0098.399] CloseHandle (hObject=0x538) returned 1 [0098.399] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x14ddfd28 | out: lpFindFileData=0x14ddfd28) returned 0 [0098.399] FindClose (in: hFindFile=0x5c8d50 | out: hFindFile=0x5c8d50) returned 1 Thread: id = 280 os_tid = 0x620 [0091.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*", lpFindFileData=0x14f1fd28 | out: lpFindFileData=0x14f1fd28) returned 0x2c9efc8 [0093.404] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.404] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x14f1fd28 | out: lpFindFileData=0x14f1fd28) returned 1 [0093.413] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.413] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.413] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x14f1fd28 | out: lpFindFileData=0x14f1fd28) returned 1 [0093.770] lstrcpyW (in: lpString1=0x21070590, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" [0093.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned 87 [0093.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta" [0093.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\how to restore files.hta")) returned 0xffffffff [0093.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.361] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x14f1fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f1fcf0, lpOverlapped=0x0) returned 0 [0094.361] CloseHandle (hObject=0xffffffff) returned 1 [0094.361] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.829] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.829] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.829] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" [0095.829] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned 87 [0095.829] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml" [0095.829] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml" [0095.829] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.423] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x14f1fd28 | out: lpFindFileData=0x14f1fd28) returned 1 [0096.423] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0096.423] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0096.423] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" [0097.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned 87 [0097.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxMetadata" [0097.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxMetadata\\*.*" [0097.028] GlobalMemoryStatus (in: lpBuffer=0x14f1fd08 | out: lpBuffer=0x14f1fd08) [0097.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c00048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x538 [0097.029] CloseHandle (hObject=0x538) returned 1 [0097.029] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x14f1fd28 | out: lpFindFileData=0x14f1fd28) returned 1 [0097.029] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" [0097.029] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned 87 [0097.029] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta" [0097.029] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\how to restore files.hta")) returned 0xffffffff [0097.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.030] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x14f1fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f1fcf0, lpOverlapped=0x0) returned 0 [0097.030] CloseHandle (hObject=0xffffffff) returned 1 [0097.030] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.030] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.030] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.030] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" [0097.030] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned 87 [0097.030] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x" [0097.030] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x" [0097.030] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.031] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x14f1fd28 | out: lpFindFileData=0x14f1fd28) returned 1 [0097.031] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.031] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.031] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.036] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*" [0097.036] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\*.*") returned 87 [0097.036] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\microsoft.system.package.metadata" [0097.036] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\microsoft.system.package.metadata\\*.*" [0097.036] GlobalMemoryStatus (in: lpBuffer=0x14f1fd08 | out: lpBuffer=0x14f1fd08) [0097.036] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c097b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x538 [0097.037] CloseHandle (hObject=0x538) returned 1 [0097.037] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x14f1fd28 | out: lpFindFileData=0x14f1fd28) returned 0 [0097.037] FindClose (in: hFindFile=0x2c9efc8 | out: hFindFile=0x2c9efc8) returned 1 Thread: id = 281 os_tid = 0xc7c [0091.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*", lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 0x2c9ea48 [0094.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.284] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0094.284] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.284] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.284] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0094.284] lstrcpyW (in: lpString1=0x5aa8480, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0094.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0094.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" [0094.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta")) returned 0xffffffff [0094.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.364] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0) returned 0 [0094.364] CloseHandle (hObject=0xffffffff) returned 1 [0094.364] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.734] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.734] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0095.734] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0095.734] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml" [0095.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml" [0095.734] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.372] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0097.202] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0097.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0097.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" [0097.202] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta")) returned 0xffffffff [0097.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.203] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0) returned 0 [0097.203] CloseHandle (hObject=0xffffffff) returned 1 [0097.203] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.203] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.203] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0097.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0097.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml" [0097.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml" [0097.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.204] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0097.205] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.205] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.205] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0097.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0097.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxMetadata" [0097.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxMetadata\\*.*" [0097.206] GlobalMemoryStatus (in: lpBuffer=0x1505fd08 | out: lpBuffer=0x1505fd08) [0097.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106202b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.207] CloseHandle (hObject=0x430) returned 1 [0097.207] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0097.207] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0097.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0097.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" [0097.207] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta")) returned 0xffffffff [0097.207] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.208] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0) returned 0 [0097.208] CloseHandle (hObject=0xffffffff) returned 1 [0097.208] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.208] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.208] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0097.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0097.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x" [0097.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x" [0097.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.208] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0097.209] lstrcmpW (lpString1=".", lpString2="GetSkype") returned -1 [0097.209] lstrcmpW (lpString1="..", lpString2="GetSkype") returned -1 [0097.209] lstrcmpiW (lpString1="windows", lpString2="GetSkype") returned 1 [0097.218] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0097.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0097.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="GetSkype" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype" [0097.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\*.*" [0097.219] GlobalMemoryStatus (in: lpBuffer=0x1505fd08 | out: lpBuffer=0x1505fd08) [0097.219] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x214695b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.220] CloseHandle (hObject=0x430) returned 1 [0097.220] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0097.220] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0097.220] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0097.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" [0097.220] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta")) returned 0xffffffff [0097.220] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.221] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0) returned 0 [0097.221] CloseHandle (hObject=0xffffffff) returned 1 [0097.221] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.221] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="GetSkype.dll") returned 1 [0097.221] lstrlenW (lpString="GetSkype.dll") returned 12 [0097.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0097.221] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0097.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="GetSkype.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll" [0097.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll" [0097.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll id-Br3n0G72wUb8CejT.LyaS" [0097.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\getskype.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\getskype.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.101] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0098.101] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0098.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0098.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" [0098.101] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta")) returned 0xffffffff [0098.101] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.102] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0) returned 0 [0098.102] CloseHandle (hObject=0xffffffff) returned 1 [0098.102] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.102] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="GetSkype.exe") returned 1 [0098.102] lstrlenW (lpString="GetSkype.exe") returned 12 [0098.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0098.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0098.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="GetSkype.exe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe" [0098.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe" [0098.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe id-Br3n0G72wUb8CejT.LyaS" [0098.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\getskype.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\getskype.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0098.102] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0098.103] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0098.103] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0098.103] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0098.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0098.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0098.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\microsoft.system.package.metadata" [0098.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\microsoft.system.package.metadata\\*.*" [0098.108] GlobalMemoryStatus (in: lpBuffer=0x1505fd08 | out: lpBuffer=0x1505fd08) [0098.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21649dd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x584 [0098.109] CloseHandle (hObject=0x584) returned 1 [0098.109] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 1 [0098.109] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0098.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0098.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" [0098.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta")) returned 0xffffffff [0098.110] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.110] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1505fcf0, lpOverlapped=0x0) returned 0 [0098.110] CloseHandle (hObject=0xffffffff) returned 1 [0098.110] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.111] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="resources.pri") returned -1 [0098.111] lstrlenW (lpString="resources.pri") returned 13 [0098.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*" [0098.111] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*.*") returned 82 [0098.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\", lpString2="resources.pri" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri" [0098.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri" [0098.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri id-Br3n0G72wUb8CejT.LyaS" [0098.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\resources.pri id-br3n0g72wub8cejt.lyas")) returned 0 [0098.221] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1505fd28 | out: lpFindFileData=0x1505fd28) returned 0 [0098.221] FindClose (in: hFindFile=0x2c9ea48 | out: hFindFile=0x2c9ea48) returned 1 Thread: id = 282 os_tid = 0x548 [0091.877] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 0x2c9e6c8 [0094.287] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.287] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0094.287] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.287] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0094.287] lstrcpyW (in: lpString1=0x10618210, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0094.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0094.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.288] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.288] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.729] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0095.729] CloseHandle (hObject=0xffffffff) returned 1 [0095.729] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.729] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.729] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.730] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0095.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0095.730] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.730] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.730] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.377] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0097.125] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.125] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.126] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0097.126] CloseHandle (hObject=0xffffffff) returned 1 [0097.126] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.126] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.126] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.165] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0097.165] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.165] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.165] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.165] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.165] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.165] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata" [0097.165] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.165] GlobalMemoryStatus (in: lpBuffer=0x1519fd08 | out: lpBuffer=0x1519fd08) [0097.165] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10cb1a90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.166] CloseHandle (hObject=0x430) returned 1 [0097.166] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0097.166] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.166] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.166] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.167] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.167] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.167] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0097.167] CloseHandle (hObject=0xffffffff) returned 1 [0097.167] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.168] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.168] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.168] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.168] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.168] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.168] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.168] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.168] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0097.168] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.169] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.169] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.169] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.169] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0097.169] CloseHandle (hObject=0xffffffff) returned 1 [0097.169] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.170] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="logo.png") returned -1 [0097.170] lstrlenW (lpString="logo.png") returned 8 [0097.170] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.170] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.170] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png" [0097.170] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png" [0097.170] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS" [0097.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\logo.png id-br3n0g72wub8cejt.lyas")) returned 0 [0097.992] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0097.992] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.992] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.992] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.992] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.992] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.992] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.992] GlobalMemoryStatus (in: lpBuffer=0x1519fd08 | out: lpBuffer=0x1519fd08) [0097.992] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x89e8730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x584 [0097.994] CloseHandle (hObject=0x584) returned 1 [0097.994] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0097.994] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.994] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.994] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.994] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.995] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0097.995] CloseHandle (hObject=0xffffffff) returned 1 [0097.995] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.995] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msvcp120_app.dll") returned -1 [0097.995] lstrlenW (lpString="msvcp120_app.dll") returned 16 [0097.995] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.995] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.995] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="msvcp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll" [0097.995] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll" [0097.995] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0097.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcp120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0097.997] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0097.997] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.997] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.997] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.997] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0097.997] CloseHandle (hObject=0xffffffff) returned 1 [0097.997] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.998] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msvcr120_app.dll") returned -1 [0097.998] lstrlenW (lpString="msvcr120_app.dll") returned 16 [0097.998] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0097.998] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.998] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="msvcr120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll" [0097.998] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll" [0097.998] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0097.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\msvcr120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.178] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0098.178] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0098.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.178] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.179] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0098.179] CloseHandle (hObject=0xffffffff) returned 1 [0098.179] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.179] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcamp120_app.dll") returned -1 [0098.179] lstrlenW (lpString="vcamp120_app.dll") returned 16 [0098.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0098.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="vcamp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll" [0098.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll" [0098.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcamp120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.180] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0098.180] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0098.180] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.180] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.180] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.180] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.181] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0098.181] CloseHandle (hObject=0xffffffff) returned 1 [0098.181] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.181] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vccorlib120_app.dll") returned -1 [0098.181] lstrlenW (lpString="vccorlib120_app.dll") returned 19 [0098.182] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0098.182] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.182] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="vccorlib120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll" [0098.182] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll" [0098.182] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.182] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vccorlib120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.182] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 1 [0098.182] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0098.182] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.182] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.182] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.183] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1519fcf0, lpOverlapped=0x0) returned 0 [0098.183] CloseHandle (hObject=0xffffffff) returned 1 [0098.183] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.184] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcomp120_app.dll") returned -1 [0098.184] lstrlenW (lpString="vcomp120_app.dll") returned 16 [0098.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*" [0098.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\", lpString2="vcomp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll" [0098.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll" [0098.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\vcomp120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.185] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1519fd28 | out: lpFindFileData=0x1519fd28) returned 0 [0098.185] FindClose (in: hFindFile=0x2c9e6c8 | out: hFindFile=0x2c9e6c8) returned 1 Thread: id = 284 os_tid = 0xb68 [0091.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*", lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 0x10804c48 [0092.015] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.015] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0092.015] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.015] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0092.017] lstrcpyW (in: lpString1=0x66cf80, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0092.017] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0092.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" [0092.017] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta")) returned 0xffffffff [0092.017] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b0 [0092.018] WriteFile (in: hFile=0x4b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x152dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x152dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.019] CloseHandle (hObject=0x4b0) returned 1 [0092.019] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.019] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="EppManifest.dll.mui") returned 1 [0092.019] lstrlenW (lpString="EppManifest.dll.mui") returned 19 [0092.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0092.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0092.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="EppManifest.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui" [0092.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui" [0092.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0092.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\eppmanifest.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\EppManifest.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\en-us\\eppmanifest.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0092.020] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0092.020] lstrcpyW (in: lpString1=0x66cf80, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0092.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0092.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" [0092.020] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta")) returned 0x1 [0092.020] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpAsDesc.dll.mui") returned -1 [0092.020] lstrlenW (lpString="MpAsDesc.dll.mui") returned 16 [0092.020] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0092.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0092.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="MpAsDesc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" [0092.020] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" [0092.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0092.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\mpasdesc.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\en-us\\mpasdesc.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0092.020] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0092.020] lstrcpyW (in: lpString1=0x66cf80, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0092.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0092.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" [0092.021] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta")) returned 0x1 [0092.021] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MpEvMsg.dll.mui") returned -1 [0092.021] lstrlenW (lpString="MpEvMsg.dll.mui") returned 15 [0092.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0092.021] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0092.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="MpEvMsg.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" [0092.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" [0092.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0092.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\mpevmsg.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\en-us\\mpevmsg.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0092.021] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0092.021] lstrcpyW (in: lpString1=0x66cf80, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0092.021] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0092.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" [0092.021] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta")) returned 0x1 [0092.021] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="MsMpRes.dll.mui") returned -1 [0092.021] lstrlenW (lpString="MsMpRes.dll.mui") returned 15 [0092.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0092.021] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0092.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="MsMpRes.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" [0092.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" [0092.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0092.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\msmpres.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\en-us\\msmpres.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0093.275] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0094.124] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0094.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0094.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" [0094.124] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta")) returned 0x1 [0094.124] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ProtectionManagement.dll.mui") returned -1 [0094.124] lstrlenW (lpString="ProtectionManagement.dll.mui") returned 28 [0094.124] lstrcmpiW (lpString1=".LyaS", lpString2="l.mui") returned -1 [0094.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0094.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0094.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="ProtectionManagement.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui" [0094.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui" [0094.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0094.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\protectionmanagement.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\en-us\\protectionmanagement.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0094.125] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0094.125] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0094.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0094.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" [0094.125] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta")) returned 0x1 [0094.125] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ProtectionManagement.mfl") returned -1 [0094.125] lstrlenW (lpString="ProtectionManagement.mfl") returned 24 [0094.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0094.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0094.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="ProtectionManagement.mfl" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl" [0094.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl" [0094.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl id-Br3n0G72wUb8CejT.LyaS" [0094.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl" (normalized: "c:\\program files\\windows defender\\en-us\\protectionmanagement.mfl"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.mfl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\en-us\\protectionmanagement.mfl id-br3n0g72wub8cejt.lyas")) returned 0 [0094.126] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0094.126] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0094.126] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0094.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" [0094.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta")) returned 0x1 [0094.126] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ProtectionManagement_Uninstall.mfl") returned -1 [0094.126] lstrlenW (lpString="ProtectionManagement_Uninstall.mfl") returned 34 [0094.126] lstrcmpiW (lpString1=".LyaS", lpString2="l.mfl") returned -1 [0094.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0094.126] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0094.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="ProtectionManagement_Uninstall.mfl" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl" [0094.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl" [0094.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl id-Br3n0G72wUb8CejT.LyaS" [0094.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl" (normalized: "c:\\program files\\windows defender\\en-us\\protectionmanagement_uninstall.mfl"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\ProtectionManagement_Uninstall.mfl id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\en-us\\protectionmanagement_uninstall.mfl id-br3n0g72wub8cejt.lyas")) returned 0 [0094.127] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 1 [0094.127] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0094.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0094.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" [0094.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows defender\\en-us\\how to restore files.hta")) returned 0x1 [0094.127] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="shellext.dll.mui") returned -1 [0094.127] lstrlenW (lpString="shellext.dll.mui") returned 16 [0094.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0094.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0094.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="shellext.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui" [0094.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui" [0094.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0094.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\shellext.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\shellext.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows defender\\en-us\\shellext.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0094.128] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x152dfd28 | out: lpFindFileData=0x152dfd28) returned 0 [0094.128] FindClose (in: hFindFile=0x10804c48 | out: hFindFile=0x10804c48) returned 1 Thread: id = 285 os_tid = 0xec0 [0091.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 0x2c9ea88 [0094.285] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.285] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0094.285] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.285] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0094.285] lstrcpyW (in: lpString1=0x10608200, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0094.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0094.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.732] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0095.732] CloseHandle (hObject=0xffffffff) returned 1 [0095.732] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.733] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.733] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0095.733] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0095.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.377] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0097.132] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.132] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.132] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.132] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.133] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0097.133] CloseHandle (hObject=0xffffffff) returned 1 [0097.133] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.133] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.133] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml" [0097.134] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml" [0097.134] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.134] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.134] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0097.134] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.135] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.135] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.139] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.139] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata" [0097.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.139] GlobalMemoryStatus (in: lpBuffer=0x1541fd08 | out: lpBuffer=0x1541fd08) [0097.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8da96b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4fc [0097.140] CloseHandle (hObject=0x4fc) returned 1 [0097.140] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0097.141] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.141] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.141] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.141] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0097.141] CloseHandle (hObject=0xffffffff) returned 1 [0097.141] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.142] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.142] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.142] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.143] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0097.143] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.143] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.143] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.143] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.143] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.143] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0097.143] CloseHandle (hObject=0xffffffff) returned 1 [0097.144] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.144] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="logo.png") returned -1 [0097.144] lstrlenW (lpString="logo.png") returned 8 [0097.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.144] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png" [0097.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png" [0097.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS" [0097.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\logo.png id-br3n0g72wub8cejt.lyas")) returned 0 [0097.946] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0097.946] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.946] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.946] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.946] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.946] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.946] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.946] GlobalMemoryStatus (in: lpBuffer=0x1541fd08 | out: lpBuffer=0x1541fd08) [0097.946] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c518f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0097.947] CloseHandle (hObject=0x4f8) returned 1 [0097.951] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0097.951] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.951] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.951] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.952] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0097.952] CloseHandle (hObject=0xffffffff) returned 1 [0097.952] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.952] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msvcp120_app.dll") returned -1 [0097.952] lstrlenW (lpString="msvcp120_app.dll") returned 16 [0097.952] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.952] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="msvcp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll" [0097.952] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll" [0097.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0097.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcp120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0097.953] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0097.953] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.953] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.954] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.954] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0097.954] CloseHandle (hObject=0xffffffff) returned 1 [0097.954] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.954] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msvcr120_app.dll") returned -1 [0097.955] lstrlenW (lpString="msvcr120_app.dll") returned 16 [0097.955] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.956] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="msvcr120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll" [0097.956] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll" [0097.956] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0097.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\msvcr120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0097.957] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0097.957] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.957] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.957] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.957] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.957] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0097.957] CloseHandle (hObject=0xffffffff) returned 1 [0097.958] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.958] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcamp120_app.dll") returned -1 [0097.958] lstrlenW (lpString="vcamp120_app.dll") returned 16 [0097.958] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0097.958] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.958] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="vcamp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll" [0097.958] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll" [0097.958] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0097.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcamp120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.173] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0098.173] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0098.173] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.174] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.174] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.174] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0098.174] CloseHandle (hObject=0xffffffff) returned 1 [0098.174] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.175] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vccorlib120_app.dll") returned -1 [0098.175] lstrlenW (lpString="vccorlib120_app.dll") returned 19 [0098.175] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0098.175] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="vccorlib120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll" [0098.175] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll" [0098.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vccorlib120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.175] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 1 [0098.175] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0098.175] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.175] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.176] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1541fcf0, lpOverlapped=0x0) returned 0 [0098.176] CloseHandle (hObject=0xffffffff) returned 1 [0098.176] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.176] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcomp120_app.dll") returned -1 [0098.176] lstrlenW (lpString="vcomp120_app.dll") returned 16 [0098.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*" [0098.176] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.176] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\", lpString2="vcomp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll" [0098.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll" [0098.176] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\vcomp120_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.177] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1541fd28 | out: lpFindFileData=0x1541fd28) returned 0 [0098.177] FindClose (in: hFindFile=0x2c9ea88 | out: hFindFile=0x2c9ea88) returned 1 Thread: id = 286 os_tid = 0x11c [0091.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 0x2c9e408 [0094.283] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.283] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0094.283] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.283] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.283] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0094.283] lstrcpyW (in: lpString1=0x5aa0478, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0094.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0094.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.735] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0095.735] CloseHandle (hObject=0xffffffff) returned 1 [0095.735] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.736] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.736] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.736] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0095.736] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0095.736] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.736] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.736] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.374] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0097.187] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0097.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.187] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.187] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.188] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0097.188] CloseHandle (hObject=0xffffffff) returned 1 [0097.188] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.188] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.188] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0097.188] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0097.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0098.000] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.000] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0098.000] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0098.001] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0098.008] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.008] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.008] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxMetadata" [0098.008] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0098.008] GlobalMemoryStatus (in: lpBuffer=0x1555fd08 | out: lpBuffer=0x1555fd08) [0098.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x215b9b68, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x584 [0098.012] CloseHandle (hObject=0x584) returned 1 [0098.012] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.012] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.012] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.012] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.012] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.012] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.013] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0098.013] CloseHandle (hObject=0xffffffff) returned 1 [0098.013] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.013] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0098.013] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0098.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.013] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0098.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0098.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0098.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0098.014] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.014] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.014] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.014] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0098.014] CloseHandle (hObject=0xffffffff) returned 1 [0098.015] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.015] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="concrt140_app.dll") returned 1 [0098.015] lstrlenW (lpString="concrt140_app.dll") returned 17 [0098.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.015] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="concrt140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll" [0098.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll" [0098.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\concrt140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.191] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.191] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.191] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.191] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.191] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.191] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.191] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0098.191] CloseHandle (hObject=0xffffffff) returned 1 [0098.191] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.192] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="logo.png") returned -1 [0098.192] lstrlenW (lpString="logo.png") returned 8 [0098.192] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.192] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png" [0098.192] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png" [0098.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS" [0098.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\logo.png id-br3n0g72wub8cejt.lyas")) returned 0 [0098.192] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.192] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0098.192] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0098.192] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0098.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0098.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0098.199] GlobalMemoryStatus (in: lpBuffer=0x1555fd08 | out: lpBuffer=0x1555fd08) [0098.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x216a9f78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0098.200] CloseHandle (hObject=0x5f0) returned 1 [0098.200] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.200] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.200] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.200] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.201] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0098.201] CloseHandle (hObject=0xffffffff) returned 1 [0098.201] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.201] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msvcp140_app.dll") returned -1 [0098.201] lstrlenW (lpString="msvcp140_app.dll") returned 16 [0098.201] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.201] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="msvcp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll" [0098.201] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll" [0098.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\msvcp140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.222] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.222] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.222] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.223] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.223] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.223] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0098.223] CloseHandle (hObject=0xffffffff) returned 1 [0098.223] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.224] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcamp140_app.dll") returned -1 [0098.224] lstrlenW (lpString="vcamp140_app.dll") returned 16 [0098.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="vcamp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll" [0098.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll" [0098.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcamp140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.239] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.239] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.239] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.239] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.240] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.240] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.240] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0098.240] CloseHandle (hObject=0xffffffff) returned 1 [0098.240] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.241] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vccorlib140_app.dll") returned -1 [0098.241] lstrlenW (lpString="vccorlib140_app.dll") returned 19 [0098.241] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.241] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="vccorlib140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll" [0098.241] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll" [0098.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.241] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vccorlib140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.247] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.247] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.247] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.247] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.247] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.248] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0098.248] CloseHandle (hObject=0xffffffff) returned 1 [0098.248] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.248] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcomp140_app.dll") returned -1 [0098.249] lstrlenW (lpString="vcomp140_app.dll") returned 16 [0098.249] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.249] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.249] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="vcomp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll" [0098.249] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll" [0098.249] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcomp140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.249] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 1 [0098.249] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.249] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.249] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.250] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1555fcf0, lpOverlapped=0x0) returned 0 [0098.250] CloseHandle (hObject=0xffffffff) returned 1 [0098.250] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.250] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcruntime140_app.dll") returned -1 [0098.250] lstrlenW (lpString="vcruntime140_app.dll") returned 20 [0098.250] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*" [0098.250] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0098.250] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\", lpString2="vcruntime140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll" [0098.250] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll" [0098.250] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\vcruntime140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.251] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1555fd28 | out: lpFindFileData=0x1555fd28) returned 0 [0098.251] FindClose (in: hFindFile=0x2c9e408 | out: hFindFile=0x2c9e408) returned 1 Thread: id = 287 os_tid = 0x83c [0091.880] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 0x2c9ea08 [0094.282] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.282] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0094.282] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.282] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0094.282] lstrcpyW (in: lpString1=0x5a98470, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0094.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0094.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.283] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.737] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0095.737] CloseHandle (hObject=0xffffffff) returned 1 [0095.737] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.737] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.737] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.737] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0095.737] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0095.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.374] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0097.189] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0097.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.189] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.189] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.189] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0097.189] CloseHandle (hObject=0xffffffff) returned 1 [0097.189] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.190] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.190] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.190] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0097.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml" [0097.190] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml" [0097.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.190] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0097.190] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.190] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.190] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.191] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0097.191] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.191] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata" [0097.191] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.191] GlobalMemoryStatus (in: lpBuffer=0x1569fd08 | out: lpBuffer=0x1569fd08) [0097.191] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10608250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.192] CloseHandle (hObject=0x430) returned 1 [0097.192] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0097.192] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0097.192] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.192] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.193] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.193] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0097.193] CloseHandle (hObject=0xffffffff) returned 1 [0097.193] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.193] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.193] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.193] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0097.194] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.194] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.194] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0097.194] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0097.194] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.194] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.194] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.195] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0097.195] CloseHandle (hObject=0xffffffff) returned 1 [0097.195] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.195] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="concrt140_app.dll") returned 1 [0097.195] lstrlenW (lpString="concrt140_app.dll") returned 17 [0097.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0097.195] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0097.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="concrt140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll" [0097.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll" [0097.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0097.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\concrt140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.016] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0098.016] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.016] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.016] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.016] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.016] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.017] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0098.017] CloseHandle (hObject=0xffffffff) returned 1 [0098.017] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.017] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="logo.png") returned -1 [0098.017] lstrlenW (lpString="logo.png") returned 8 [0098.017] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.017] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png" [0098.017] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png" [0098.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS" [0098.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\logo.png id-br3n0g72wub8cejt.lyas")) returned 0 [0098.018] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0098.018] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0098.018] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0098.018] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0098.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.023] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0098.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0098.023] GlobalMemoryStatus (in: lpBuffer=0x1569fd08 | out: lpBuffer=0x1569fd08) [0098.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x215d1bd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x584 [0098.024] CloseHandle (hObject=0x584) returned 1 [0098.024] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0098.024] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.024] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.024] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.027] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0098.027] CloseHandle (hObject=0xffffffff) returned 1 [0098.027] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.027] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msvcp140_app.dll") returned -1 [0098.027] lstrlenW (lpString="msvcp140_app.dll") returned 16 [0098.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.027] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="msvcp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll" [0098.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll" [0098.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\msvcp140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.202] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0098.202] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.202] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.203] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0098.203] CloseHandle (hObject=0xffffffff) returned 1 [0098.203] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.203] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcamp140_app.dll") returned -1 [0098.203] lstrlenW (lpString="vcamp140_app.dll") returned 16 [0098.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="vcamp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll" [0098.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll" [0098.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcamp140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.204] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0098.204] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.204] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.204] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.204] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0098.205] CloseHandle (hObject=0xffffffff) returned 1 [0098.205] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.205] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vccorlib140_app.dll") returned -1 [0098.205] lstrlenW (lpString="vccorlib140_app.dll") returned 19 [0098.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="vccorlib140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll" [0098.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll" [0098.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vccorlib140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.225] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0098.225] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.225] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.225] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.225] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.226] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0098.226] CloseHandle (hObject=0xffffffff) returned 1 [0098.226] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.226] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcomp140_app.dll") returned -1 [0098.226] lstrlenW (lpString="vcomp140_app.dll") returned 16 [0098.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.226] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="vcomp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll" [0098.227] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll" [0098.227] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcomp140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.227] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 1 [0098.227] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.227] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.227] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.227] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.227] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.228] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1569fcf0, lpOverlapped=0x0) returned 0 [0098.228] CloseHandle (hObject=0xffffffff) returned 1 [0098.228] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.228] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcruntime140_app.dll") returned -1 [0098.228] lstrlenW (lpString="vcruntime140_app.dll") returned 20 [0098.228] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*" [0098.228] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\*.*") returned 92 [0098.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\", lpString2="vcruntime140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll" [0098.228] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll" [0098.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll id-Br3n0G72wUb8CejT.LyaS" [0098.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\vcruntime140_app.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.229] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x1569fd28 | out: lpFindFileData=0x1569fd28) returned 0 [0098.229] FindClose (in: hFindFile=0x2c9ea08 | out: hFindFile=0x2c9ea08) returned 1 Thread: id = 288 os_tid = 0xa1c [0091.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 0x2c9e508 [0093.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.272] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0093.272] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.272] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0094.148] lstrcpyW (in: lpString1=0x8d89648, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0094.148] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0094.148] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.148] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.362] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0094.362] CloseHandle (hObject=0xffffffff) returned 1 [0094.362] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.742] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppCore.Windows.dll") returned 1 [0095.742] lstrlenW (lpString="AppCore.Windows.dll") returned 19 [0095.742] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0095.742] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0095.742] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="AppCore.Windows.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll" [0095.742] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll" [0095.742] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll id-Br3n0G72wUb8CejT.LyaS" [0095.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appcore.windows.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCore.Windows.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appcore.windows.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.748] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0095.748] lstrcmpW (lpString1=".", lpString2="AppCS") returned -1 [0095.748] lstrcmpW (lpString1="..", lpString2="AppCS") returned -1 [0095.748] lstrcmpiW (lpString1="windows", lpString2="AppCS") returned 1 [0095.748] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0095.748] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0095.748] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="AppCS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCS" [0095.748] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCS\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCS\\*.*" [0095.748] GlobalMemoryStatus (in: lpBuffer=0x157dfd08 | out: lpBuffer=0x157dfd08) [0095.749] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10680458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0095.750] CloseHandle (hObject=0x33c) returned 1 [0095.750] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0095.750] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0095.750] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0095.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0095.750] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0095.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.751] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0095.752] CloseHandle (hObject=0xffffffff) returned 1 [0095.752] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.752] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.752] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.752] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0095.752] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0095.752] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.752] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.373] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0097.196] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0097.196] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0097.196] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.196] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.196] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0097.196] CloseHandle (hObject=0xffffffff) returned 1 [0097.196] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.197] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.197] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0097.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0097.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0098.029] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.029] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0098.029] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0098.029] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0098.034] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.034] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.034] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata" [0098.034] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0098.034] GlobalMemoryStatus (in: lpBuffer=0x157dfd08 | out: lpBuffer=0x157dfd08) [0098.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x215e9c38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x584 [0098.035] CloseHandle (hObject=0x584) returned 1 [0098.035] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.035] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.035] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.035] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.035] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.036] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0098.036] CloseHandle (hObject=0xffffffff) returned 1 [0098.036] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.036] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0098.036] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0098.036] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.036] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.036] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0098.036] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0098.036] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0098.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0098.037] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.037] lstrcmpW (lpString1=".", lpString2="Assets") returned -1 [0098.037] lstrcmpW (lpString1="..", lpString2="Assets") returned -1 [0098.037] lstrcmpiW (lpString1="windows", lpString2="Assets") returned 1 [0098.042] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.042] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Assets" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets" [0098.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0098.042] GlobalMemoryStatus (in: lpBuffer=0x157dfd08 | out: lpBuffer=0x157dfd08) [0098.042] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21601ca0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x584 [0098.043] CloseHandle (hObject=0x584) returned 1 [0098.043] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.043] lstrcmpW (lpString1=".", lpString2="Bing.Immersive") returned -1 [0098.043] lstrcmpW (lpString1="..", lpString2="Bing.Immersive") returned -1 [0098.043] lstrcmpiW (lpString1="windows", lpString2="Bing.Immersive") returned 1 [0098.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.048] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Bing.Immersive" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive" [0098.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\*.*" [0098.048] GlobalMemoryStatus (in: lpBuffer=0x157dfd08 | out: lpBuffer=0x157dfd08) [0098.048] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21619d08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x584 [0098.049] CloseHandle (hObject=0x584) returned 1 [0098.049] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.049] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.049] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.049] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.049] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.049] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.050] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0098.050] CloseHandle (hObject=0xffffffff) returned 1 [0098.050] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.050] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Bing.Immersive.dll") returned 1 [0098.050] lstrlenW (lpString="Bing.Immersive.dll") returned 18 [0098.050] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.051] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Bing.Immersive.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll" [0098.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll" [0098.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll id-Br3n0G72wUb8CejT.LyaS" [0098.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\bing.immersive.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\bing.immersive.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.052] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.052] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.052] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.052] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.052] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.052] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.052] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0098.052] CloseHandle (hObject=0xffffffff) returned 1 [0098.052] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.053] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="FaceSdkStoreWrapper.dll") returned 1 [0098.053] lstrlenW (lpString="FaceSdkStoreWrapper.dll") returned 23 [0098.053] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.053] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.053] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="FaceSdkStoreWrapper.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll" [0098.053] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll" [0098.053] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll id-Br3n0G72wUb8CejT.LyaS" [0098.053] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\facesdkstorewrapper.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\FaceSdkStoreWrapper.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\facesdkstorewrapper.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.206] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.206] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.207] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.207] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.207] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0098.207] CloseHandle (hObject=0xffffffff) returned 1 [0098.207] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.208] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Lumia.AppTk.SceneGraph.UAP.dll") returned -1 [0098.208] lstrlenW (lpString="Lumia.AppTk.SceneGraph.UAP.dll") returned 30 [0098.208] lstrcmpiW (lpString1=".LyaS", lpString2="P.dll") returned -1 [0098.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Lumia.AppTk.SceneGraph.UAP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll" [0098.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll" [0098.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll id-Br3n0G72wUb8CejT.LyaS" [0098.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\lumia.apptk.scenegraph.uap.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.AppTk.SceneGraph.UAP.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\lumia.apptk.scenegraph.uap.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.231] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.231] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.231] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.231] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.231] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.231] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.232] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0098.232] CloseHandle (hObject=0xffffffff) returned 1 [0098.232] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.232] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Lumia.Media.Packaging.UAP.dll") returned -1 [0098.232] lstrlenW (lpString="Lumia.Media.Packaging.UAP.dll") returned 29 [0098.232] lstrcmpiW (lpString1=".LyaS", lpString2="P.dll") returned -1 [0098.232] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.232] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.232] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Lumia.Media.Packaging.UAP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll" [0098.232] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll" [0098.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll id-Br3n0G72wUb8CejT.LyaS" [0098.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\lumia.media.packaging.uap.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.Media.Packaging.UAP.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\lumia.media.packaging.uap.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.233] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.233] lstrcmpW (lpString1=".", lpString2="Lumia.ViewerPlugin") returned -1 [0098.233] lstrcmpW (lpString1="..", lpString2="Lumia.ViewerPlugin") returned -1 [0098.233] lstrcmpiW (lpString1="windows", lpString2="Lumia.ViewerPlugin") returned 1 [0098.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.233] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Lumia.ViewerPlugin" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPlugin") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPlugin" [0098.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPlugin", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPlugin\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPlugin\\*.*" [0098.233] GlobalMemoryStatus (in: lpBuffer=0x157dfd08 | out: lpBuffer=0x157dfd08) [0098.233] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a10f30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5e4 [0098.234] CloseHandle (hObject=0x5e4) returned 1 [0098.234] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.234] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.234] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.234] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.235] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.235] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0098.235] CloseHandle (hObject=0xffffffff) returned 1 [0098.235] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.235] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Lumia.ViewerPluginNative.dll") returned -1 [0098.235] lstrlenW (lpString="Lumia.ViewerPluginNative.dll") returned 28 [0098.235] lstrcmpiW (lpString1=".LyaS", lpString2="e.dll") returned -1 [0098.235] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.236] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Lumia.ViewerPluginNative.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll" [0098.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll" [0098.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll id-Br3n0G72wUb8CejT.LyaS" [0098.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\lumia.viewerpluginnative.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPluginNative.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\lumia.viewerpluginnative.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.236] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0098.236] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.236] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.236] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.236] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.237] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0098.237] CloseHandle (hObject=0xffffffff) returned 1 [0098.237] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.237] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Microsoft.Photos.dll") returned -1 [0098.237] lstrlenW (lpString="Microsoft.Photos.dll") returned 20 [0098.237] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0098.237] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0098.237] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Microsoft.Photos.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll" [0098.237] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll" [0098.237] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll id-Br3n0G72wUb8CejT.LyaS" [0098.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.photos.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.photos.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.206] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0099.365] lstrcpyW (in: lpString1=0x219fadb8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0099.366] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0099.366] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.150] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0101.150] CloseHandle (hObject=0xffffffff) returned 1 [0101.150] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.151] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Microsoft.Photos.exe") returned -1 [0101.151] lstrlenW (lpString="Microsoft.Photos.exe") returned 20 [0101.151] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0101.151] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0101.151] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="Microsoft.Photos.exe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe" [0101.151] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe" [0101.151] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe id-Br3n0G72wUb8CejT.LyaS" [0101.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.photos.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.photos.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0101.152] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0101.152] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0101.152] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0101.152] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0101.152] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0101.152] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0101.152] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0101.152] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0101.152] GlobalMemoryStatus (in: lpBuffer=0x157dfd08 | out: lpBuffer=0x157dfd08) [0101.152] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106683f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x468 [0101.153] CloseHandle (hObject=0x468) returned 1 [0101.153] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0101.153] lstrcmpW (lpString1=".", lpString2="PhotosApp") returned -1 [0101.153] lstrcmpW (lpString1="..", lpString2="PhotosApp") returned -1 [0101.153] lstrcmpiW (lpString1="windows", lpString2="PhotosApp") returned 1 [0101.153] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0101.153] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0101.153] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="PhotosApp" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp" [0101.153] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp\\*.*" [0101.153] GlobalMemoryStatus (in: lpBuffer=0x157dfd08 | out: lpBuffer=0x157dfd08) [0101.153] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10bd96e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x468 [0101.154] CloseHandle (hObject=0x468) returned 1 [0101.154] FindNextFileW (in: hFindFile=0x2c9e508, lpFindFileData=0x157dfd28 | out: lpFindFileData=0x157dfd28) returned 1 [0101.154] lstrcpyW (in: lpString1=0x219fadb8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0101.154] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0101.154] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0101.154] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0101.154] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.155] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x157dfcf0, lpOverlapped=0x0) returned 0 [0101.155] CloseHandle (hObject=0xffffffff) returned 1 [0101.155] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.155] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotosApp.Windows.dll") returned -1 [0101.155] lstrlenW (lpString="PhotosApp.Windows.dll") returned 21 [0101.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*" [0101.156] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0101.156] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\", lpString2="PhotosApp.Windows.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll" [0101.156] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll" [0101.156] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll id-Br3n0G72wUb8CejT.LyaS" [0101.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\photosapp.windows.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\PhotosApp.Windows.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\photosapp.windows.dll id-br3n0g72wub8cejt.lyas")) Thread: id = 289 os_tid = 0xf08 [0091.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x1591fd28 | out: lpFindFileData=0x1591fd28) returned 0x2c9ed88 [0093.737] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.737] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1591fd28 | out: lpFindFileData=0x1591fd28) returned 1 [0093.737] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.737] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.737] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1591fd28 | out: lpFindFileData=0x1591fd28) returned 1 [0093.741] lstrcpyW (in: lpString1=0x21008558, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.741] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 101 [0093.741] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.358] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1591fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1591fcf0, lpOverlapped=0x0) returned 0 [0094.358] CloseHandle (hObject=0xffffffff) returned 1 [0094.358] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.836] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.836] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.836] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.836] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 101 [0095.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.837] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.837] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.017] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1591fd28 | out: lpFindFileData=0x1591fd28) returned 1 [0097.018] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.018] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.018] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.018] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.018] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 101 [0097.018] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0097.018] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.018] GlobalMemoryStatus (in: lpBuffer=0x1591fd08 | out: lpBuffer=0x1591fd08) [0097.018] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x900a138, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x61c [0097.019] CloseHandle (hObject=0x61c) returned 1 [0097.019] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1591fd28 | out: lpFindFileData=0x1591fd28) returned 1 [0097.019] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 101 [0097.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.019] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.019] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.020] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1591fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1591fcf0, lpOverlapped=0x0) returned 0 [0097.020] CloseHandle (hObject=0xffffffff) returned 1 [0097.020] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.020] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.020] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.020] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 101 [0097.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.020] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.021] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1591fd28 | out: lpFindFileData=0x1591fd28) returned 1 [0097.021] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.021] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.021] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.021] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 101 [0097.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.021] GlobalMemoryStatus (in: lpBuffer=0x1591fd08 | out: lpBuffer=0x1591fd08) [0097.022] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c40bb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x61c [0097.022] CloseHandle (hObject=0x61c) returned 1 [0097.022] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1591fd28 | out: lpFindFileData=0x1591fd28) returned 0 [0097.022] FindClose (in: hFindFile=0x2c9ed88 | out: hFindFile=0x2c9ed88) returned 1 Thread: id = 290 os_tid = 0xb58 [0091.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x15a5fd28 | out: lpFindFileData=0x15a5fd28) returned 0x2c9eb08 [0093.423] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.423] FindNextFileW (in: hFindFile=0x2c9eb08, lpFindFileData=0x15a5fd28 | out: lpFindFileData=0x15a5fd28) returned 1 [0093.661] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.661] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.661] FindNextFileW (in: hFindFile=0x2c9eb08, lpFindFileData=0x15a5fd28 | out: lpFindFileData=0x15a5fd28) returned 1 [0093.661] lstrcpyW (in: lpString1=0x3ef0078, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0093.661] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 95 [0093.661] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0093.661] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.661] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 291 os_tid = 0x4b8 [0091.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x15b9fd28 | out: lpFindFileData=0x15b9fd28) returned 0x2c9ef88 [0093.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.403] FindNextFileW (in: hFindFile=0x2c9ef88, lpFindFileData=0x15b9fd28 | out: lpFindFileData=0x15b9fd28) returned 1 [0093.403] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.404] FindNextFileW (in: hFindFile=0x2c9ef88, lpFindFileData=0x15b9fd28 | out: lpFindFileData=0x15b9fd28) returned 1 [0093.774] lstrcpyW (in: lpString1=0x21078598, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.774] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 98 [0093.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.774] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.774] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.828] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15b9fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15b9fcf0, lpOverlapped=0x0) returned 0 [0095.828] CloseHandle (hObject=0xffffffff) returned 1 [0095.828] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.828] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.828] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.828] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.828] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 98 [0095.828] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.828] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.828] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.422] FindNextFileW (in: hFindFile=0x2c9ef88, lpFindFileData=0x15b9fd28 | out: lpFindFileData=0x15b9fd28) returned 1 [0096.422] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0096.422] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0096.422] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.042] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.042] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 98 [0097.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0097.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.042] GlobalMemoryStatus (in: lpBuffer=0x15b9fd08 | out: lpBuffer=0x15b9fd08) [0097.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10dd5f28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0097.043] CloseHandle (hObject=0x524) returned 1 [0097.043] FindNextFileW (in: hFindFile=0x2c9ef88, lpFindFileData=0x15b9fd28 | out: lpFindFileData=0x15b9fd28) returned 1 [0097.043] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.043] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 98 [0097.043] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.043] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.044] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15b9fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15b9fcf0, lpOverlapped=0x0) returned 0 [0097.044] CloseHandle (hObject=0xffffffff) returned 1 [0097.044] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.044] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.044] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 98 [0097.044] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.045] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsalarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.115] FindNextFileW (in: hFindFile=0x2c9ef88, lpFindFileData=0x15b9fd28 | out: lpFindFileData=0x15b9fd28) returned 1 [0097.115] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.115] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.115] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 98 [0097.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.116] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.116] GlobalMemoryStatus (in: lpBuffer=0x15b9fd08 | out: lpBuffer=0x15b9fd08) [0097.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ab9208, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0097.116] CloseHandle (hObject=0x548) returned 1 [0097.116] FindNextFileW (in: hFindFile=0x2c9ef88, lpFindFileData=0x15b9fd28 | out: lpFindFileData=0x15b9fd28) returned 0 [0097.116] FindClose (in: hFindFile=0x2c9ef88 | out: hFindFile=0x2c9ef88) returned 1 Thread: id = 292 os_tid = 0xad8 [0091.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 0x2c9f088 [0093.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.416] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0093.761] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.761] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0093.762] lstrcpyW (in: lpString1=0x21060580, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0093.762] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0093.762] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0093.762] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.360] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0) returned 0 [0094.360] CloseHandle (hObject=0xffffffff) returned 1 [0094.360] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.831] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.831] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0095.831] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0095.831] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.831] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.045] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0097.045] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.045] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.045] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.046] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0) returned 0 [0097.046] CloseHandle (hObject=0xffffffff) returned 1 [0097.046] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.046] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.046] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.046] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.046] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.046] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.046] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.046] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.047] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0097.047] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.047] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.047] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.051] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata" [0097.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.051] GlobalMemoryStatus (in: lpBuffer=0x15cdfd08 | out: lpBuffer=0x15cdfd08) [0097.052] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a98470, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0097.052] CloseHandle (hObject=0x524) returned 1 [0097.052] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0097.052] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.052] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.053] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.053] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.053] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0) returned 0 [0097.053] CloseHandle (hObject=0xffffffff) returned 1 [0097.053] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.053] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.054] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.054] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.054] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.054] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.054] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0097.054] lstrcmpW (lpString1=".", lpString2="Assets") returned -1 [0097.054] lstrcmpW (lpString1="..", lpString2="Assets") returned -1 [0097.054] lstrcmpiW (lpString1="windows", lpString2="Assets") returned 1 [0097.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.059] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="Assets" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Assets") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Assets" [0097.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Assets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0097.059] GlobalMemoryStatus (in: lpBuffer=0x15cdfd08 | out: lpBuffer=0x15cdfd08) [0097.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10806968, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0097.060] CloseHandle (hObject=0x524) returned 1 [0097.060] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0097.060] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.060] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.060] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.060] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.061] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0) returned 0 [0097.061] CloseHandle (hObject=0xffffffff) returned 1 [0097.061] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.061] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Calculator.exe") returned 1 [0097.061] lstrlenW (lpString="Calculator.exe") returned 14 [0097.061] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.061] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="Calculator.exe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe" [0097.061] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe" [0097.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe id-Br3n0G72wUb8CejT.LyaS" [0097.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\calculator.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Calculator.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\calculator.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0097.182] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0097.182] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.182] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.182] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.182] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.182] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.182] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15cdfcf0, lpOverlapped=0x0) returned 0 [0097.182] CloseHandle (hObject=0xffffffff) returned 1 [0097.182] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.183] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="CalculatorApp.winmd") returned 1 [0097.183] lstrlenW (lpString="CalculatorApp.winmd") returned 19 [0097.183] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0097.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0097.183] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="CalculatorApp.winmd" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd" [0097.183] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd" [0097.183] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd id-Br3n0G72wUb8CejT.LyaS" [0097.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\calculatorapp.winmd"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\CalculatorApp.winmd id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\calculatorapp.winmd id-br3n0g72wub8cejt.lyas")) returned 0 [0099.104] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0099.104] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0099.104] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0099.104] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0099.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0099.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0099.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0099.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0099.498] GlobalMemoryStatus (in: lpBuffer=0x15cdfd08 | out: lpBuffer=0x15cdfd08) [0099.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21aa3040, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x608 [0099.499] CloseHandle (hObject=0x608) returned 1 [0099.499] FindNextFileW (in: hFindFile=0x2c9f088, lpFindFileData=0x15cdfd28 | out: lpFindFileData=0x15cdfd28) returned 1 [0099.503] lstrcpyW (in: lpString1=0x21abb0a8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*" [0099.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\*.*") returned 99 [0099.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.503] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.503] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 293 os_tid = 0x888 [0091.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x15e1fd28 | out: lpFindFileData=0x15e1fd28) returned 0x2c9ee88 [0093.775] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.775] FindNextFileW (in: hFindFile=0x2c9ee88, lpFindFileData=0x15e1fd28 | out: lpFindFileData=0x15e1fd28) returned 1 [0093.775] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.775] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.775] FindNextFileW (in: hFindFile=0x2c9ee88, lpFindFileData=0x15e1fd28 | out: lpFindFileData=0x15e1fd28) returned 1 [0093.778] lstrcpyW (in: lpString1=0x210805a0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.778] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 102 [0093.778] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.778] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.826] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15e1fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15e1fcf0, lpOverlapped=0x0) returned 0 [0095.826] CloseHandle (hObject=0xffffffff) returned 1 [0095.826] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.827] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.827] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.827] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.827] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 102 [0095.827] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.827] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.827] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) Thread: id = 294 os_tid = 0x2ec [0091.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x15f5fd28 | out: lpFindFileData=0x15f5fd28) returned 0x2c9edc8 [0093.751] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.751] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x15f5fd28 | out: lpFindFileData=0x15f5fd28) returned 1 [0093.751] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.751] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x15f5fd28 | out: lpFindFileData=0x15f5fd28) returned 1 [0093.756] lstrcpyW (in: lpString1=0x21038570, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.756] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 100 [0093.756] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.756] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.359] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15f5fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f5fcf0, lpOverlapped=0x0) returned 0 [0094.359] CloseHandle (hObject=0xffffffff) returned 1 [0094.359] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.832] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.832] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.833] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 100 [0095.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.833] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.038] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x15f5fd28 | out: lpFindFileData=0x15f5fd28) returned 1 [0097.038] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.038] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.038] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.038] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.038] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 100 [0097.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0097.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.039] GlobalMemoryStatus (in: lpBuffer=0x15f5fd08 | out: lpBuffer=0x15f5fd08) [0097.039] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10980cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0097.040] CloseHandle (hObject=0x524) returned 1 [0097.040] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x15f5fd28 | out: lpFindFileData=0x15f5fd28) returned 1 [0097.040] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.040] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 100 [0097.040] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.040] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.041] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x15f5fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f5fcf0, lpOverlapped=0x0) returned 0 [0097.041] CloseHandle (hObject=0xffffffff) returned 1 [0097.041] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.041] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.041] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.041] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.042] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 100 [0097.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.042] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.112] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x15f5fd28 | out: lpFindFileData=0x15f5fd28) returned 1 [0097.112] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.112] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.112] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 100 [0097.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.112] GlobalMemoryStatus (in: lpBuffer=0x15f5fd08 | out: lpBuffer=0x15f5fd08) [0097.112] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a30868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0097.113] CloseHandle (hObject=0x398) returned 1 [0097.113] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x15f5fd28 | out: lpFindFileData=0x15f5fd28) returned 0 [0097.113] FindClose (in: hFindFile=0x2c9edc8 | out: hFindFile=0x2c9edc8) returned 1 Thread: id = 295 os_tid = 0x8c4 [0091.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 0x2c9e788 [0094.147] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.147] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0094.147] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.147] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.147] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0094.147] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0094.147] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0094.147] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.147] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.744] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0095.744] CloseHandle (hObject=0xffffffff) returned 1 [0095.745] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.745] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.745] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.745] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0095.745] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0095.746] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.746] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.746] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.376] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0097.170] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0097.171] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0097.171] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.171] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.171] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0097.171] CloseHandle (hObject=0xffffffff) returned 1 [0097.171] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.172] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.172] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.172] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0097.172] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0097.172] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.172] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.172] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.172] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0097.172] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.173] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.173] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.173] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0097.173] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0097.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata" [0097.174] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.174] GlobalMemoryStatus (in: lpBuffer=0x1609fd08 | out: lpBuffer=0x1609fd08) [0097.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20ee8548, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.174] CloseHandle (hObject=0x430) returned 1 [0097.175] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0097.175] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0097.175] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0097.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.175] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.175] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.175] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0097.176] CloseHandle (hObject=0xffffffff) returned 1 [0097.176] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.176] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.176] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0097.176] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0097.176] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.177] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.177] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0097.177] lstrcmpW (lpString1=".", lpString2="Assets") returned -1 [0097.177] lstrcmpW (lpString1="..", lpString2="Assets") returned -1 [0097.177] lstrcmpiW (lpString1="windows", lpString2="Assets") returned 1 [0097.178] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0097.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0097.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="Assets" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets" [0097.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0097.178] GlobalMemoryStatus (in: lpBuffer=0x1609fd08 | out: lpBuffer=0x1609fd08) [0097.178] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.179] CloseHandle (hObject=0x430) returned 1 [0097.179] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0097.179] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0097.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0097.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.179] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.179] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.180] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0097.180] CloseHandle (hObject=0xffffffff) returned 1 [0097.180] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.180] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Lumia.CameraApp.Native.winmd") returned -1 [0097.180] lstrlenW (lpString="Lumia.CameraApp.Native.winmd") returned 28 [0097.180] lstrcmpiW (lpString1=".LyaS", lpString2="winmd") returned -1 [0097.180] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0097.180] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0097.181] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="Lumia.CameraApp.Native.winmd" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd" [0097.181] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd" [0097.181] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd id-Br3n0G72wUb8CejT.LyaS" [0097.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\lumia.cameraapp.native.winmd"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Native.winmd id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\lumia.cameraapp.native.winmd id-br3n0g72wub8cejt.lyas")) returned 0 [0098.157] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0098.157] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.157] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.157] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.157] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.157] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.158] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0098.158] CloseHandle (hObject=0xffffffff) returned 1 [0098.158] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.158] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Lumia.CameraApp.Telemetry.winmd") returned -1 [0098.158] lstrlenW (lpString="Lumia.CameraApp.Telemetry.winmd") returned 31 [0098.158] lstrcmpiW (lpString1=".LyaS", lpString2="winmd") returned -1 [0098.159] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.159] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.159] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="Lumia.CameraApp.Telemetry.winmd" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd" [0098.159] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd" [0098.159] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd id-Br3n0G72wUb8CejT.LyaS" [0098.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\lumia.cameraapp.telemetry.winmd"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.CameraApp.Telemetry.winmd id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\lumia.cameraapp.telemetry.winmd id-br3n0g72wub8cejt.lyas")) returned 0 [0098.159] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0098.159] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.159] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.159] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.159] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.159] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.160] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0098.160] CloseHandle (hObject=0xffffffff) returned 1 [0098.160] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.160] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Lumia.TracingLib.Native.Win.dll") returned -1 [0098.160] lstrlenW (lpString="Lumia.TracingLib.Native.Win.dll") returned 31 [0098.160] lstrcmpiW (lpString1=".LyaS", lpString2="n.dll") returned -1 [0098.160] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.161] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.161] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="Lumia.TracingLib.Native.Win.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll" [0098.161] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll" [0098.161] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll id-Br3n0G72wUb8CejT.LyaS" [0098.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\lumia.tracinglib.native.win.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.Win.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\lumia.tracinglib.native.win.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.161] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0098.161] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.161] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.161] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.162] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.162] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.162] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0098.162] CloseHandle (hObject=0xffffffff) returned 1 [0098.162] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.163] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Lumia.TracingLib.Native.winmd") returned -1 [0098.163] lstrlenW (lpString="Lumia.TracingLib.Native.winmd") returned 29 [0098.163] lstrcmpiW (lpString1=".LyaS", lpString2="winmd") returned -1 [0098.163] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.163] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.163] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="Lumia.TracingLib.Native.winmd" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd" [0098.163] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd" [0098.163] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd id-Br3n0G72wUb8CejT.LyaS" [0098.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\lumia.tracinglib.native.winmd"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Lumia.TracingLib.Native.winmd id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\lumia.tracinglib.native.winmd id-br3n0g72wub8cejt.lyas")) returned 0 [0098.163] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0098.163] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.163] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.163] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.163] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.163] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.164] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0098.164] CloseHandle (hObject=0xffffffff) returned 1 [0098.164] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.164] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Microsoft.CameraApp.Native.Win.dll") returned -1 [0098.164] lstrlenW (lpString="Microsoft.CameraApp.Native.Win.dll") returned 34 [0098.164] lstrcmpiW (lpString1=".LyaS", lpString2="n.dll") returned -1 [0098.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.164] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.164] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="Microsoft.CameraApp.Native.Win.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll" [0098.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll" [0098.164] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll id-Br3n0G72wUb8CejT.LyaS" [0098.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.cameraapp.native.win.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Native.Win.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.cameraapp.native.win.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.165] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0098.165] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.165] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.165] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.165] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.165] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.167] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0098.167] CloseHandle (hObject=0xffffffff) returned 1 [0098.167] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.167] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Microsoft.CameraApp.Telemetry.Win.dll") returned -1 [0098.167] lstrlenW (lpString="Microsoft.CameraApp.Telemetry.Win.dll") returned 37 [0098.167] lstrcmpiW (lpString1=".LyaS", lpString2="n.dll") returned -1 [0098.167] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.167] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.167] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="Microsoft.CameraApp.Telemetry.Win.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll" [0098.167] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll" [0098.167] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll id-Br3n0G72wUb8CejT.LyaS" [0098.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.cameraapp.telemetry.win.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Microsoft.CameraApp.Telemetry.Win.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.cameraapp.telemetry.win.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.168] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0098.168] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0098.168] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0098.168] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0098.168] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.168] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.168] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata" [0098.168] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0098.168] GlobalMemoryStatus (in: lpBuffer=0x1609fd08 | out: lpBuffer=0x1609fd08) [0098.168] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a00798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x238 [0098.169] CloseHandle (hObject=0x238) returned 1 [0098.169] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0098.169] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.169] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.169] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.169] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.170] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0098.170] CloseHandle (hObject=0xffffffff) returned 1 [0098.170] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.170] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="resources.pri") returned -1 [0098.170] lstrlenW (lpString="resources.pri") returned 13 [0098.170] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.170] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.170] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="resources.pri" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri" [0098.170] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri" [0098.170] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS" [0098.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\resources.pri id-br3n0g72wub8cejt.lyas")) returned 0 [0098.171] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0098.171] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.171] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.171] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.171] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.171] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0098.171] CloseHandle (hObject=0xffffffff) returned 1 [0098.171] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.172] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WindowsCamera.dll") returned -1 [0098.172] lstrlenW (lpString="WindowsCamera.dll") returned 17 [0098.172] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0098.172] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0098.172] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="WindowsCamera.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll" [0098.172] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll" [0098.172] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll id-Br3n0G72wUb8CejT.LyaS" [0098.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\windowscamera.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\windowscamera.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.207] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0099.361] lstrcpyW (in: lpString1=0x219fadb8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0099.361] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0099.361] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.361] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.362] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1609fcf0, lpOverlapped=0x0) returned 0 [0099.362] CloseHandle (hObject=0xffffffff) returned 1 [0099.362] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.362] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WindowsCamera.exe") returned -1 [0099.362] lstrlenW (lpString="WindowsCamera.exe") returned 17 [0099.362] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0099.362] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0099.362] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="WindowsCamera.exe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe" [0099.362] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe" [0099.362] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe id-Br3n0G72wUb8CejT.LyaS" [0099.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\windowscamera.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\WindowsCamera.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\windowscamera.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0099.420] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 1 [0099.420] lstrcmpW (lpString1=".", lpString2="_Resources") returned -1 [0099.420] lstrcmpW (lpString1="..", lpString2="_Resources") returned -1 [0099.420] lstrcmpiW (lpString1="windows", lpString2="_Resources") returned 1 [0099.421] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*" [0099.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\*.*") returned 91 [0099.421] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\", lpString2="_Resources" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\_Resources") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\_Resources" [0099.421] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\_Resources", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\_Resources\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\_Resources\\*.*" [0099.421] GlobalMemoryStatus (in: lpBuffer=0x1609fd08 | out: lpBuffer=0x1609fd08) [0099.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20ee8548, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b0 [0099.422] CloseHandle (hObject=0x4b0) returned 1 [0099.422] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x1609fd28 | out: lpFindFileData=0x1609fd28) returned 0 [0099.423] FindClose (in: hFindFile=0x2c9e788 | out: hFindFile=0x2c9e788) returned 1 Thread: id = 296 os_tid = 0xa58 [0091.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 0x2c9e708 [0093.274] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.274] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0093.274] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.274] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0094.146] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0094.146] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0094.146] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0094.146] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.147] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.362] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0) returned 0 [0094.362] CloseHandle (hObject=0xffffffff) returned 1 [0094.362] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.755] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="App.xaml") returned 1 [0095.755] lstrlenW (lpString="App.xaml") returned 8 [0095.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0095.755] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0095.756] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="App.xaml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml" [0095.756] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml" [0095.756] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml id-Br3n0G72wUb8CejT.LyaS" [0095.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\app.xaml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\App.xaml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\app.xaml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.823] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0095.823] lstrcpyW (in: lpString1=0x210885a8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0095.823] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0095.823] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0095.823] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0095.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.824] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0) returned 0 [0095.824] CloseHandle (hObject=0xffffffff) returned 1 [0095.824] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.824] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.824] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.824] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0095.824] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0095.825] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.825] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.825] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.379] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0097.062] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.062] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.062] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.063] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0) returned 0 [0097.063] CloseHandle (hObject=0xffffffff) returned 1 [0097.063] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.063] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.063] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.063] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.063] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.063] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.063] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" [0097.063] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.064] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.064] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0097.064] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0097.064] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0097.064] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.068] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.068] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxMetadata" [0097.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.068] GlobalMemoryStatus (in: lpBuffer=0x161dfd08 | out: lpBuffer=0x161dfd08) [0097.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1083e9d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0097.069] CloseHandle (hObject=0x524) returned 1 [0097.069] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0097.069] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.069] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.069] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.070] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.070] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0) returned 0 [0097.070] CloseHandle (hObject=0xffffffff) returned 1 [0097.070] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.071] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.071] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.071] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" [0097.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.071] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0097.071] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.097] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.097] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0) returned 0 [0097.097] CloseHandle (hObject=0xffffffff) returned 1 [0097.098] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.098] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="chartim.dll") returned 1 [0097.098] lstrlenW (lpString="chartim.dll") returned 11 [0097.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="chartim.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll" [0097.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll" [0097.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll id-Br3n0G72wUb8CejT.LyaS" [0097.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\chartim.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0097.987] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0097.987] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.987] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.987] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0097.987] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.988] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0) returned 0 [0097.988] CloseHandle (hObject=0xffffffff) returned 1 [0097.988] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.988] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="CsiImm.dll") returned 1 [0097.988] lstrlenW (lpString="CsiImm.dll") returned 10 [0097.988] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0097.988] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0097.988] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="CsiImm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll" [0097.988] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll" [0097.988] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll id-Br3n0G72wUb8CejT.LyaS" [0097.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\csiimm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\CsiImm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\csiimm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0098.186] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0098.186] lstrcmpW (lpString1=".", lpString2="en-gb") returned -1 [0098.186] lstrcmpW (lpString1="..", lpString2="en-gb") returned -1 [0098.186] lstrcmpiW (lpString1="windows", lpString2="en-gb") returned 1 [0098.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0098.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0098.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="en-gb" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb" [0098.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0098.186] GlobalMemoryStatus (in: lpBuffer=0x161dfd08 | out: lpBuffer=0x161dfd08) [0098.187] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x109b0d90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0098.188] CloseHandle (hObject=0x5f0) returned 1 [0098.188] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0098.188] lstrcmpW (lpString1=".", lpString2="en-us") returned -1 [0098.188] lstrcmpW (lpString1="..", lpString2="en-us") returned -1 [0098.188] lstrcmpiW (lpString1="windows", lpString2="en-us") returned 1 [0098.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0098.188] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0098.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="en-us" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-us") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-us" [0098.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-us", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-us\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-us\\*.*" [0098.188] GlobalMemoryStatus (in: lpBuffer=0x161dfd08 | out: lpBuffer=0x161dfd08) [0098.188] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x109c8df8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0098.189] CloseHandle (hObject=0x5f0) returned 1 [0098.189] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0098.189] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0098.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0098.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0098.189] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0098.189] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.189] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x161dfcf0, lpOverlapped=0x0) returned 0 [0098.189] CloseHandle (hObject=0xffffffff) returned 1 [0098.189] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0098.190] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="EventInterpreterImm.dll") returned 1 [0098.190] lstrlenW (lpString="EventInterpreterImm.dll") returned 23 [0098.190] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0098.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0098.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="EventInterpreterImm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll" [0098.190] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll" [0098.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll id-Br3n0G72wUb8CejT.LyaS" [0098.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\eventinterpreterimm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\EventInterpreterImm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\eventinterpreterimm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.207] FindNextFileW (in: hFindFile=0x2c9e708, lpFindFileData=0x161dfd28 | out: lpFindFileData=0x161dfd28) returned 1 [0099.360] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*" [0099.360] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\*.*") returned 107 [0099.360] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0099.360] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0099.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 297 os_tid = 0xa68 [0091.890] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x1631fd28 | out: lpFindFileData=0x1631fd28) returned 0x2c9ec88 [0093.664] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.664] FindNextFileW (in: hFindFile=0x2c9ec88, lpFindFileData=0x1631fd28 | out: lpFindFileData=0x1631fd28) returned 1 [0093.664] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.664] FindNextFileW (in: hFindFile=0x2c9ec88, lpFindFileData=0x1631fd28 | out: lpFindFileData=0x1631fd28) returned 1 [0093.664] lstrcpyW (in: lpString1=0x10dc5f18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.664] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 114 [0093.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.665] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 298 os_tid = 0x248 [0091.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x1645fd28 | out: lpFindFileData=0x1645fd28) returned 0x2c9f288 [0093.421] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.421] FindNextFileW (in: hFindFile=0x2c9f288, lpFindFileData=0x1645fd28 | out: lpFindFileData=0x1645fd28) returned 1 [0093.662] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.662] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.662] FindNextFileW (in: hFindFile=0x2c9f288, lpFindFileData=0x1645fd28 | out: lpFindFileData=0x1645fd28) returned 1 [0093.663] lstrcpyW (in: lpString1=0x20ea84d0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.663] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 97 [0093.663] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.663] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsmaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.663] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsmaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 299 os_tid = 0x15c [0091.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1659fd28 | out: lpFindFileData=0x1659fd28) returned 0x2c9f0c8 [0093.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.416] FindNextFileW (in: hFindFile=0x2c9f0c8, lpFindFileData=0x1659fd28 | out: lpFindFileData=0x1659fd28) returned 1 [0093.747] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.747] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.747] FindNextFileW (in: hFindFile=0x2c9f0c8, lpFindFileData=0x1659fd28 | out: lpFindFileData=0x1659fd28) returned 1 [0093.750] lstrcpyW (in: lpString1=0x21030568, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*" [0093.750] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0093.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0093.750] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsmaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsmaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.834] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1659fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1659fcf0, lpOverlapped=0x0) returned 0 [0095.834] CloseHandle (hObject=0xffffffff) returned 1 [0095.834] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.834] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.834] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*" [0095.835] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\*.*") returned 92 [0095.835] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.835] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.835] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsmaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsmaps_4.1505.50619.0_x64__8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.969] FindNextFileW (in: hFindFile=0x2c9f0c8, lpFindFileData=0x1659fd28 | out: lpFindFileData=0x1659fd28) returned 1 Thread: id = 300 os_tid = 0xae4 [0091.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x166dfd28 | out: lpFindFileData=0x166dfd28) returned 0x2c9f108 [0093.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.417] FindNextFileW (in: hFindFile=0x2c9f108, lpFindFileData=0x166dfd28 | out: lpFindFileData=0x166dfd28) returned 1 [0093.733] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.733] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.733] FindNextFileW (in: hFindFile=0x2c9f108, lpFindFileData=0x166dfd28 | out: lpFindFileData=0x166dfd28) returned 1 [0093.736] lstrcpyW (in: lpString1=0x21000550, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*" [0093.736] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*") returned 94 [0093.736] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0093.736] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsphone_10.1506.20010.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsphone_10.1506.20010.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.838] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x166dfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x166dfcf0, lpOverlapped=0x0) returned 0 [0095.839] CloseHandle (hObject=0xffffffff) returned 1 [0095.839] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.839] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ApplicationInsights.config") returned 1 [0095.839] lstrlenW (lpString="ApplicationInsights.config") returned 26 [0095.839] lstrcmpiW (lpString1=".LyaS", lpString2="onfig") returned -1 [0095.839] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*" [0095.839] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\*.*") returned 94 [0095.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\", lpString2="ApplicationInsights.config" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config" [0095.839] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config" [0095.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config id-Br3n0G72wUb8CejT.LyaS" [0095.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsphone_10.1506.20010.0_x64__8wekyb3d8bbwe\\applicationinsights.config"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\\ApplicationInsights.config id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsphone_10.1506.20010.0_x64__8wekyb3d8bbwe\\applicationinsights.config id-br3n0g72wub8cejt.lyas")) returned 0 [0095.921] FindNextFileW (in: hFindFile=0x2c9f108, lpFindFileData=0x166dfd28 | out: lpFindFileData=0x166dfd28) returned 1 Thread: id = 301 os_tid = 0x854 [0091.896] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x1681fd28 | out: lpFindFileData=0x1681fd28) returned 0x2c9ed48 [0093.421] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.421] FindNextFileW (in: hFindFile=0x2c9ed48, lpFindFileData=0x1681fd28 | out: lpFindFileData=0x1681fd28) returned 1 [0093.670] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.670] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.670] FindNextFileW (in: hFindFile=0x2c9ed48, lpFindFileData=0x1681fd28 | out: lpFindFileData=0x1681fd28) returned 1 [0093.670] lstrcpyW (in: lpString1=0x10dcdf20, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.670] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 97 [0093.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsphone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsphone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 302 os_tid = 0xa30 [0091.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1695fd28 | out: lpFindFileData=0x1695fd28) returned 0x108057c8 [0092.060] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.060] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1695fd28 | out: lpFindFileData=0x1695fd28) returned 1 [0092.060] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.060] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.061] FindNextFileW (in: hFindFile=0x108057c8, lpFindFileData=0x1695fd28 | out: lpFindFileData=0x1695fd28) returned 1 [0092.061] lstrcpyW (in: lpString1=0x66cf80, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\*.*" [0092.061] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\*.*") returned 102 [0092.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.061] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.347] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1695fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1695fcf0, lpOverlapped=0x0) returned 0 [0094.347] CloseHandle (hObject=0xffffffff) returned 1 [0094.347] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 303 os_tid = 0xb3c [0091.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x16a9fd28 | out: lpFindFileData=0x16a9fd28) returned 0x2c9e5c8 [0094.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.286] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x16a9fd28 | out: lpFindFileData=0x16a9fd28) returned 1 [0094.286] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.286] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.286] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x16a9fd28 | out: lpFindFileData=0x16a9fd28) returned 1 [0094.286] lstrcpyW (in: lpString1=0x10610208, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" [0094.286] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 107 [0094.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0094.286] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.286] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.364] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x16a9fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16a9fcf0, lpOverlapped=0x0) returned 0 [0094.365] CloseHandle (hObject=0xffffffff) returned 1 [0094.365] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.731] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.731] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.731] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 107 [0095.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.816] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x16a9fd28 | out: lpFindFileData=0x16a9fd28) returned 1 [0095.817] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0095.817] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0095.817] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0095.817] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.817] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 107 [0095.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0095.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0095.817] GlobalMemoryStatus (in: lpBuffer=0x16a9fd08 | out: lpBuffer=0x16a9fd08) [0095.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8df9848, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0095.818] CloseHandle (hObject=0x33c) returned 1 [0095.818] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x16a9fd28 | out: lpFindFileData=0x16a9fd28) returned 1 [0095.818] lstrcpyW (in: lpString1=0x210885a8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 107 [0095.818] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0095.818] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0095.818] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.819] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x16a9fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16a9fcf0, lpOverlapped=0x0) returned 0 [0095.819] CloseHandle (hObject=0xffffffff) returned 1 [0095.819] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.819] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0095.820] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0095.820] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 107 [0095.820] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0095.820] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0095.820] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0095.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0095.820] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x16a9fd28 | out: lpFindFileData=0x16a9fd28) returned 1 [0095.820] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0095.820] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0095.820] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0095.820] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 107 [0095.820] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0095.820] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0095.820] GlobalMemoryStatus (in: lpBuffer=0x16a9fd08 | out: lpBuffer=0x16a9fd08) [0095.820] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c58c20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0095.821] CloseHandle (hObject=0x33c) returned 1 [0095.821] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x16a9fd28 | out: lpFindFileData=0x16a9fd28) returned 0 [0095.821] FindClose (in: hFindFile=0x2c9e5c8 | out: hFindFile=0x2c9e5c8) returned 1 Thread: id = 304 os_tid = 0xc28 [0091.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\*.*", lpFindFileData=0x16d1fd28 | out: lpFindFileData=0x16d1fd28) returned 0x10804d48 [0092.239] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.239] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x16d1fd28 | out: lpFindFileData=0x16d1fd28) returned 1 [0092.239] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.239] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.239] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x16d1fd28 | out: lpFindFileData=0x16d1fd28) returned 1 [0092.239] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0092.239] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0092.239] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\Documents\\How To Restore Files.hta" [0092.239] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\How To Restore Files.hta" (normalized: "c:\\users\\public\\documents\\how to restore files.hta")) returned 0xffffffff [0092.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\How To Restore Files.hta" (normalized: "c:\\users\\public\\documents\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0092.241] WriteFile (in: hFile=0x4c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x16d1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x16d1fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.242] CloseHandle (hObject=0x4c0) returned 1 [0092.243] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.243] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0092.243] lstrlenW (lpString="desktop.ini") returned 11 [0092.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0092.243] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0092.243] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" [0092.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" [0092.244] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0092.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\documents\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0092.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\documents\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0092.258] CreateFileMappingA (hFile=0x4c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4cc [0092.258] CryptAcquireContextA (in: phProv=0x16d1fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x16d1fce4*=0x5d1938) returned 1 [0092.259] CryptGenKey (in: hProv=0x5d1938, Algid=0x6610, dwFlags=0x1, phKey=0x16d1fce0 | out: phKey=0x16d1fce0*=0x10804f08) returned 1 [0092.259] CryptExportKey (in: hKey=0x10804f08, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x16d1fbdc, pdwDataLen=0x16d1fcdc | out: pbData=0x16d1fbdc*, pdwDataLen=0x16d1fcdc*=0x2c) returned 1 [0092.259] MapViewOfFile (hFileMappingObject=0x4cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x64e0000 [0092.261] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x16d1fbdc*, pdwDataLen=0x16d1fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x16d1fbdc*, pdwDataLen=0x16d1fcf0*=0x100) returned 1 [0092.262] CryptEncrypt (in: hKey=0x10804f08, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000*, pdwDataLen=0x16d1fcdc*=0x100, dwBufLen=0x100 | out: pbData=0x64e0000*, pdwDataLen=0x16d1fcdc*=0x100) returned 1 [0092.262] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0092.262] CloseHandle (hObject=0x4cc) returned 1 [0092.262] CryptDestroyKey (hKey=0x10804f08) returned 1 [0092.262] CryptReleaseContext (hProv=0x5d1938, dwFlags=0x0) returned 1 [0092.262] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.262] WriteFile (in: hFile=0x4c4, lpBuffer=0x16d1fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x16d1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x16d1fbdc*, lpNumberOfBytesWritten=0x16d1fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.263] WriteFile (in: hFile=0x4c4, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x16d1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x16d1fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.285] CloseHandle (hObject=0x4c4) returned 1 [0092.287] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.287] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x16d1fd28 | out: lpFindFileData=0x16d1fd28) returned 1 [0092.287] lstrcmpW (lpString1=".", lpString2="My Music") returned -1 [0092.287] lstrcmpW (lpString1="..", lpString2="My Music") returned -1 [0092.287] lstrcmpiW (lpString1="windows", lpString2="My Music") returned 1 [0092.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0092.287] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0092.287] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="My Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music" [0092.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*.*" [0092.288] GlobalMemoryStatus (in: lpBuffer=0x16d1fd08 | out: lpBuffer=0x16d1fd08) [0092.288] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10bd96e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4c4 [0092.288] CloseHandle (hObject=0x4c4) returned 1 [0092.288] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x16d1fd28 | out: lpFindFileData=0x16d1fd28) returned 1 [0092.288] lstrcmpW (lpString1=".", lpString2="My Pictures") returned -1 [0092.288] lstrcmpW (lpString1="..", lpString2="My Pictures") returned -1 [0092.288] lstrcmpiW (lpString1="windows", lpString2="My Pictures") returned 1 [0092.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0092.289] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0092.289] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures" [0092.289] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*.*" [0092.289] GlobalMemoryStatus (in: lpBuffer=0x16d1fd08 | out: lpBuffer=0x16d1fd08) [0092.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a58390, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4c4 [0092.289] CloseHandle (hObject=0x4c4) returned 1 [0092.289] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x16d1fd28 | out: lpFindFileData=0x16d1fd28) returned 1 [0092.289] lstrcmpW (lpString1=".", lpString2="My Videos") returned -1 [0092.289] lstrcmpW (lpString1="..", lpString2="My Videos") returned -1 [0092.289] lstrcmpiW (lpString1="windows", lpString2="My Videos") returned 1 [0092.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0092.289] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0092.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="My Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos" [0092.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*.*" [0092.290] GlobalMemoryStatus (in: lpBuffer=0x16d1fd08 | out: lpBuffer=0x16d1fd08) [0092.292] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d10e38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4c4 [0092.293] CloseHandle (hObject=0x4c4) returned 1 [0092.293] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x16d1fd28 | out: lpFindFileData=0x16d1fd28) returned 0 [0092.293] FindClose (in: hFindFile=0x10804d48 | out: hFindFile=0x10804d48) returned 1 Thread: id = 305 os_tid = 0x538 [0091.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\*.*", lpFindFileData=0x16e5fd28 | out: lpFindFileData=0x16e5fd28) returned 0x10804d88 [0092.245] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.245] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0x16e5fd28 | out: lpFindFileData=0x16e5fd28) returned 1 [0092.245] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.245] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.245] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0x16e5fd28 | out: lpFindFileData=0x16e5fd28) returned 1 [0092.245] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" [0092.245] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned 33 [0092.245] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\Downloads\\How To Restore Files.hta" [0092.245] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\How To Restore Files.hta" (normalized: "c:\\users\\public\\downloads\\how to restore files.hta")) returned 0xffffffff [0092.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\How To Restore Files.hta" (normalized: "c:\\users\\public\\downloads\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0092.246] WriteFile (in: hFile=0x4c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x16e5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x16e5fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.247] CloseHandle (hObject=0x4c4) returned 1 [0092.247] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.248] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0092.248] lstrlenW (lpString="desktop.ini") returned 11 [0092.248] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" [0092.248] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned 33 [0092.248] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" [0092.248] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" [0092.248] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0092.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\downloads\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0092.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\downloads\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0092.250] CreateFileMappingA (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4cc [0092.250] CryptAcquireContextA (in: phProv=0x16e5fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x16e5fce4*=0x5d1938) returned 1 [0092.251] CryptGenKey (in: hProv=0x5d1938, Algid=0x6610, dwFlags=0x1, phKey=0x16e5fce0 | out: phKey=0x16e5fce0*=0x10804f08) returned 1 [0092.251] CryptExportKey (in: hKey=0x10804f08, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x16e5fbdc, pdwDataLen=0x16e5fcdc | out: pbData=0x16e5fbdc*, pdwDataLen=0x16e5fcdc*=0x2c) returned 1 [0092.251] MapViewOfFile (hFileMappingObject=0x4cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x64e0000 [0092.253] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x16e5fbdc*, pdwDataLen=0x16e5fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x16e5fbdc*, pdwDataLen=0x16e5fcf0*=0x100) returned 1 [0092.254] CryptEncrypt (in: hKey=0x10804f08, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64e0000*, pdwDataLen=0x16e5fcdc*=0xa0, dwBufLen=0xa0 | out: pbData=0x64e0000*, pdwDataLen=0x16e5fcdc*=0xa0) returned 1 [0092.254] UnmapViewOfFile (lpBaseAddress=0x64e0000) returned 1 [0092.254] CloseHandle (hObject=0x4cc) returned 1 [0092.254] CryptDestroyKey (hKey=0x10804f08) returned 1 [0092.254] CryptReleaseContext (hProv=0x5d1938, dwFlags=0x0) returned 1 [0092.254] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.254] WriteFile (in: hFile=0x4c8, lpBuffer=0x16e5fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x16e5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x16e5fbdc*, lpNumberOfBytesWritten=0x16e5fcf0*=0x100, lpOverlapped=0x0) returned 1 [0092.255] WriteFile (in: hFile=0x4c8, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x16e5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x16e5fcf0*=0x500, lpOverlapped=0x0) returned 1 [0092.265] CloseHandle (hObject=0x4c8) returned 1 [0092.269] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0092.269] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0x16e5fd28 | out: lpFindFileData=0x16e5fd28) returned 0 [0092.269] FindClose (in: hFindFile=0x10804d88 | out: hFindFile=0x10804d88) returned 1 Thread: id = 306 os_tid = 0xc38 [0091.902] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\*.*", lpFindFileData=0x16f9fd28 | out: lpFindFileData=0x16f9fd28) returned 0x10804e08 [0092.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.303] FindNextFileW (in: hFindFile=0x10804e08, lpFindFileData=0x16f9fd28 | out: lpFindFileData=0x16f9fd28) returned 1 [0092.303] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.303] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.303] FindNextFileW (in: hFindFile=0x10804e08, lpFindFileData=0x16f9fd28 | out: lpFindFileData=0x16f9fd28) returned 1 [0092.303] lstrcpyW (in: lpString1=0x106001f8, lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" [0092.303] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned 33 [0092.303] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\Libraries\\How To Restore Files.hta" [0092.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\How To Restore Files.hta" (normalized: "c:\\users\\public\\libraries\\how to restore files.hta")) returned 0xffffffff [0092.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\How To Restore Files.hta" (normalized: "c:\\users\\public\\libraries\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0094.573] WriteFile (in: hFile=0x4ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x16f9fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x16f9fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.574] CloseHandle (hObject=0x4ec) returned 1 [0094.579] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.922] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0094.922] lstrlenW (lpString="desktop.ini") returned 11 [0094.922] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" [0094.922] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned 33 [0094.923] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" [0094.923] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" [0094.923] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0094.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\libraries\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0096.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\libraries\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x424 [0096.639] CreateFileMappingA (hFile=0x424, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x324 [0096.640] CryptAcquireContextA (in: phProv=0x16f9fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x16f9fce4*=0x1083d850) returned 1 [0096.640] CryptGenKey (in: hProv=0x1083d850, Algid=0x6610, dwFlags=0x1, phKey=0x16f9fce0 | out: phKey=0x16f9fce0*=0x5c8f10) returned 1 [0096.640] CryptExportKey (in: hKey=0x5c8f10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x16f9fbdc, pdwDataLen=0x16f9fcdc | out: pbData=0x16f9fbdc*, pdwDataLen=0x16f9fcdc*=0x2c) returned 1 [0096.640] MapViewOfFile (hFileMappingObject=0x324, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x31e0000 [0096.935] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x16f9fbdc*, pdwDataLen=0x16f9fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x16f9fbdc*, pdwDataLen=0x16f9fcf0*=0x100) returned 1 [0096.936] CryptEncrypt (in: hKey=0x5c8f10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31e0000*, pdwDataLen=0x16f9fcdc*=0xa0, dwBufLen=0xa0 | out: pbData=0x31e0000*, pdwDataLen=0x16f9fcdc*=0xa0) returned 1 [0096.936] UnmapViewOfFile (lpBaseAddress=0x31e0000) returned 1 [0096.936] CloseHandle (hObject=0x324) returned 1 [0096.936] CryptDestroyKey (hKey=0x5c8f10) returned 1 [0096.936] CryptReleaseContext (hProv=0x1083d850, dwFlags=0x0) returned 1 [0096.936] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.936] WriteFile (in: hFile=0x424, lpBuffer=0x16f9fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x16f9fcf0, lpOverlapped=0x0 | out: lpBuffer=0x16f9fbdc*, lpNumberOfBytesWritten=0x16f9fcf0*=0x100, lpOverlapped=0x0) returned 1 [0096.937] WriteFile (hFile=0x424, lpBuffer=0x403ca0, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x16f9fcf0, lpOverlapped=0x0) Thread: id = 307 os_tid = 0xc2c [0091.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\*.*", lpFindFileData=0x170dfd28 | out: lpFindFileData=0x170dfd28) returned 0x10804dc8 [0092.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.299] FindNextFileW (in: hFindFile=0x10804dc8, lpFindFileData=0x170dfd28 | out: lpFindFileData=0x170dfd28) returned 1 [0092.299] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.300] FindNextFileW (in: hFindFile=0x10804dc8, lpFindFileData=0x170dfd28 | out: lpFindFileData=0x170dfd28) returned 1 [0092.300] lstrcpyW (in: lpString1=0x106001f8, lpString2="\\\\?\\C:\\Users\\Public\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\*.*" [0092.300] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned 29 [0092.300] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\Music\\How To Restore Files.hta" [0092.300] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\public\\music\\how to restore files.hta")) returned 0xffffffff [0092.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\How To Restore Files.hta" (normalized: "c:\\users\\public\\music\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0092.300] WriteFile (in: hFile=0x4c8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x170dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x170dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.301] CloseHandle (hObject=0x4c8) returned 1 [0092.301] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.302] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0092.302] lstrlenW (lpString="desktop.ini") returned 11 [0092.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\*.*" [0092.302] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned 29 [0092.302] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" [0092.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" [0092.302] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0092.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\music\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0093.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\music\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0093.342] CreateFileMappingA (hFile=0x5b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5bc [0093.342] CryptAcquireContextA (in: phProv=0x170dfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x170dfce4*=0x1083cb08) returned 1 [0093.343] CryptGenKey (in: hProv=0x1083cb08, Algid=0x6610, dwFlags=0x1, phKey=0x170dfce0 | out: phKey=0x170dfce0*=0x2c9ea08) returned 1 [0093.343] CryptExportKey (in: hKey=0x2c9ea08, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x170dfbdc, pdwDataLen=0x170dfcdc | out: pbData=0x170dfbdc*, pdwDataLen=0x170dfcdc*=0x2c) returned 1 [0093.343] MapViewOfFile (hFileMappingObject=0x5bc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0xf590000 [0093.363] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x170dfbdc*, pdwDataLen=0x170dfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x170dfbdc*, pdwDataLen=0x170dfcf0*=0x100) returned 1 [0093.363] CryptEncrypt (in: hKey=0x2c9ea08, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xf590000*, pdwDataLen=0x170dfcdc*=0x160, dwBufLen=0x160 | out: pbData=0xf590000*, pdwDataLen=0x170dfcdc*=0x160) returned 1 [0093.363] UnmapViewOfFile (lpBaseAddress=0xf590000) returned 1 [0093.363] CloseHandle (hObject=0x5bc) returned 1 [0093.364] CryptDestroyKey (hKey=0x2c9ea08) returned 1 [0093.364] CryptReleaseContext (hProv=0x1083cb08, dwFlags=0x0) returned 1 [0093.364] SetFilePointerEx (in: hFile=0x5b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.364] WriteFile (in: hFile=0x5b8, lpBuffer=0x170dfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x170dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x170dfbdc*, lpNumberOfBytesWritten=0x170dfcf0*=0x100, lpOverlapped=0x0) returned 1 [0093.365] WriteFile (in: hFile=0x5b8, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x170dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x170dfcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.626] CloseHandle (hObject=0x5b8) returned 1 [0094.635] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.636] FindNextFileW (in: hFindFile=0x10804dc8, lpFindFileData=0x170dfd28 | out: lpFindFileData=0x170dfd28) returned 0 [0094.636] FindClose (in: hFindFile=0x10804dc8 | out: hFindFile=0x10804dc8) returned 1 Thread: id = 308 os_tid = 0x7f8 [0091.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\*.*", lpFindFileData=0x1721fd28 | out: lpFindFileData=0x1721fd28) returned 0x10804d88 [0092.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.295] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0x1721fd28 | out: lpFindFileData=0x1721fd28) returned 1 [0092.295] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.295] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0x1721fd28 | out: lpFindFileData=0x1721fd28) returned 1 [0092.295] lstrcpyW (in: lpString1=0x106001f8, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" [0092.295] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned 32 [0092.295] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\Pictures\\How To Restore Files.hta" [0092.295] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\How To Restore Files.hta" (normalized: "c:\\users\\public\\pictures\\how to restore files.hta")) returned 0xffffffff [0092.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\How To Restore Files.hta" (normalized: "c:\\users\\public\\pictures\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0092.296] WriteFile (in: hFile=0x4c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1721fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1721fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.297] CloseHandle (hObject=0x4c0) returned 1 [0092.298] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.298] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0092.298] lstrlenW (lpString="desktop.ini") returned 11 [0092.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" [0092.298] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned 32 [0092.298] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" [0092.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" [0092.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0092.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\pictures\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0093.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\pictures\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0093.307] CreateFileMappingA (hFile=0x45c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0093.307] CryptAcquireContextA (in: phProv=0x1721fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1721fce4*=0x1083ca80) returned 1 [0093.307] CryptGenKey (in: hProv=0x1083ca80, Algid=0x6610, dwFlags=0x1, phKey=0x1721fce0 | out: phKey=0x1721fce0*=0x2c9e988) returned 1 [0093.307] CryptExportKey (in: hKey=0x2c9e988, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1721fbdc, pdwDataLen=0x1721fcdc | out: pbData=0x1721fbdc*, pdwDataLen=0x1721fcdc*=0x2c) returned 1 [0093.307] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x6640000 [0094.282] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1721fbdc*, pdwDataLen=0x1721fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1721fbdc*, pdwDataLen=0x1721fcf0*=0x100) returned 1 [0094.282] CryptEncrypt (in: hKey=0x2c9e988, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6640000*, pdwDataLen=0x1721fcdc*=0x160, dwBufLen=0x160 | out: pbData=0x6640000*, pdwDataLen=0x1721fcdc*=0x160) returned 1 [0094.282] UnmapViewOfFile (lpBaseAddress=0x6640000) returned 1 [0094.801] CloseHandle (hObject=0x5b4) returned 1 [0094.801] CryptDestroyKey (hKey=0x2c9e988) returned 1 [0094.801] CryptReleaseContext (hProv=0x1083ca80, dwFlags=0x0) returned 1 [0094.801] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.801] WriteFile (in: hFile=0x45c, lpBuffer=0x1721fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1721fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1721fbdc*, lpNumberOfBytesWritten=0x1721fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.802] WriteFile (in: hFile=0x45c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1721fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1721fcf0*=0x500, lpOverlapped=0x0) returned 1 [0096.293] CloseHandle (hObject=0x45c) returned 1 [0096.297] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0096.298] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0x1721fd28 | out: lpFindFileData=0x1721fd28) returned 0 [0096.298] FindClose (in: hFindFile=0x10804d88 | out: hFindFile=0x10804d88) returned 1 Thread: id = 309 os_tid = 0xc30 [0091.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\*.*", lpFindFileData=0x1735fd28 | out: lpFindFileData=0x1735fd28) returned 0x10804d48 [0092.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.293] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x1735fd28 | out: lpFindFileData=0x1735fd28) returned 1 [0092.293] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.293] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x1735fd28 | out: lpFindFileData=0x1735fd28) returned 1 [0092.294] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Users\\Public\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*.*" [0092.294] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned 30 [0092.294] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\Public\\Videos\\How To Restore Files.hta" [0092.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\How To Restore Files.hta" (normalized: "c:\\users\\public\\videos\\how to restore files.hta")) returned 0xffffffff [0092.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\How To Restore Files.hta" (normalized: "c:\\users\\public\\videos\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0093.304] WriteFile (in: hFile=0x45c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1735fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1735fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0093.305] CloseHandle (hObject=0x45c) returned 1 [0093.305] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.057] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="desktop.ini") returned 1 [0094.057] lstrlenW (lpString="desktop.ini") returned 11 [0094.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*.*" [0094.057] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned 30 [0094.057] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" [0094.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" [0094.057] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0094.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\videos\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0094.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\public\\videos\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4cc [0094.544] CreateFileMappingA (hFile=0x4cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x464 [0094.544] CryptAcquireContextA (in: phProv=0x1735fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1735fce4*=0x1083cb08) returned 1 [0095.249] CryptGenKey (in: hProv=0x1083cb08, Algid=0x6610, dwFlags=0x1, phKey=0x1735fce0 | out: phKey=0x1735fce0*=0x5c89d0) returned 1 [0095.249] CryptExportKey (in: hKey=0x5c89d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1735fbdc, pdwDataLen=0x1735fcdc | out: pbData=0x1735fbdc*, pdwDataLen=0x1735fcdc*=0x2c) returned 1 [0095.249] MapViewOfFile (hFileMappingObject=0x464, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x4dd0000 [0095.253] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1735fbdc*, pdwDataLen=0x1735fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1735fbdc*, pdwDataLen=0x1735fcf0*=0x100) returned 1 [0095.254] CryptEncrypt (in: hKey=0x5c89d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000*, pdwDataLen=0x1735fcdc*=0x160, dwBufLen=0x160 | out: pbData=0x4dd0000*, pdwDataLen=0x1735fcdc*=0x160) returned 1 [0095.254] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.254] CloseHandle (hObject=0x464) returned 1 [0095.255] CryptDestroyKey (hKey=0x5c89d0) returned 1 [0095.255] CryptReleaseContext (hProv=0x1083cb08, dwFlags=0x0) returned 1 [0095.255] SetFilePointerEx (in: hFile=0x4cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.255] WriteFile (in: hFile=0x4cc, lpBuffer=0x1735fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1735fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1735fbdc*, lpNumberOfBytesWritten=0x1735fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.256] WriteFile (in: hFile=0x4cc, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1735fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1735fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.259] CloseHandle (hObject=0x4cc) returned 1 [0095.263] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.264] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x1735fd28 | out: lpFindFileData=0x1735fd28) returned 0 [0095.264] FindClose (in: hFindFile=0x10804d48 | out: hFindFile=0x10804d48) returned 1 Thread: id = 310 os_tid = 0xc94 [0091.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*", lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 0x10805088 [0091.957] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.957] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 1 [0091.957] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.957] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.957] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 1 [0091.957] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0091.957] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0091.957] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0091.957] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0091.957] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0091.957] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US" [0091.957] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*" [0091.957] GlobalMemoryStatus (in: lpBuffer=0x1749fd08 | out: lpBuffer=0x1749fd08) [0091.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b00bb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x498 [0091.958] CloseHandle (hObject=0x498) returned 1 [0091.958] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 1 [0091.958] lstrcpyW (in: lpString1=0x8b18c20, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0091.958] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0091.958] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" [0091.958] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\how to restore files.hta")) returned 0xffffffff [0091.959] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x588 [0093.282] WriteFile (in: hFile=0x588, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1749fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1749fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0093.283] CloseHandle (hObject=0x588) returned 1 [0093.284] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.105] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="TableTextService.dll") returned -1 [0094.105] lstrlenW (lpString="TableTextService.dll") returned 20 [0094.105] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.105] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextService.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" [0094.105] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" [0094.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll id-Br3n0G72wUb8CejT.LyaS" [0094.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.109] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 1 [0094.109] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" [0094.109] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\how to restore files.hta")) returned 0x1 [0094.109] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="TableTextServiceAmharic.txt") returned -1 [0094.109] lstrlenW (lpString="TableTextServiceAmharic.txt") returned 27 [0094.109] lstrcmpiW (lpString1=".LyaS", lpString2="c.txt") returned -1 [0094.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceAmharic.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" [0094.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" [0094.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt id-Br3n0G72wUb8CejT.LyaS" [0094.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceamharic.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceamharic.txt id-br3n0g72wub8cejt.lyas")) returned 0 [0094.110] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 1 [0094.110] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" [0094.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\how to restore files.hta")) returned 0x1 [0094.110] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="TableTextServiceArray.txt") returned -1 [0094.110] lstrlenW (lpString="TableTextServiceArray.txt") returned 25 [0094.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceArray.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt" [0094.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt" [0094.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt id-Br3n0G72wUb8CejT.LyaS" [0094.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicearray.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicearray.txt id-br3n0g72wub8cejt.lyas")) returned 0 [0094.111] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 1 [0094.111] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.111] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" [0094.111] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\how to restore files.hta")) returned 0x1 [0094.111] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="TableTextServiceDaYi.txt") returned -1 [0094.111] lstrlenW (lpString="TableTextServiceDaYi.txt") returned 24 [0094.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.111] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceDaYi.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" [0094.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" [0094.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt id-Br3n0G72wUb8CejT.LyaS" [0094.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicedayi.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicedayi.txt id-br3n0g72wub8cejt.lyas")) returned 0 [0094.113] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 1 [0094.114] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.114] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" [0094.114] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\how to restore files.hta")) returned 0x1 [0094.114] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="TableTextServiceTigrinya.txt") returned -1 [0094.114] lstrlenW (lpString="TableTextServiceTigrinya.txt") returned 28 [0094.114] lstrcmpiW (lpString1=".LyaS", lpString2="a.txt") returned -1 [0094.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.114] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceTigrinya.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt" [0094.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt" [0094.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt id-Br3n0G72wUb8CejT.LyaS" [0094.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicetigrinya.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceTigrinya.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicetigrinya.txt id-br3n0g72wub8cejt.lyas")) returned 0 [0094.115] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 1 [0094.115] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" [0094.115] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\how to restore files.hta")) returned 0x1 [0094.115] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="TableTextServiceYi.txt") returned -1 [0094.115] lstrlenW (lpString="TableTextServiceYi.txt") returned 22 [0094.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0094.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0094.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceYi.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt" [0094.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt" [0094.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt id-Br3n0G72wUb8CejT.LyaS" [0094.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceyi.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceyi.txt id-br3n0g72wub8cejt.lyas")) returned 0 [0094.115] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0x1749fd28 | out: lpFindFileData=0x1749fd28) returned 0 [0094.116] FindClose (in: hFindFile=0x10805088 | out: hFindFile=0x10805088) returned 1 Thread: id = 311 os_tid = 0xacc [0091.914] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*", lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 0x108050c8 [0091.963] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.963] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0091.963] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.963] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0091.963] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0091.963] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0091.963] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0091.963] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0xffffffff [0091.963] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x588 [0093.284] WriteFile (in: hFile=0x588, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x175dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x175dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0093.285] CloseHandle (hObject=0x588) returned 1 [0093.286] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.102] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="blank.jtp") returned 1 [0094.102] lstrlenW (lpString="blank.jtp") returned 9 [0094.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="blank.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp" [0094.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp" [0094.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp" (normalized: "c:\\program files\\windows journal\\templates\\blank.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\blank.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.133] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.133] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.134] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.135] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Dotted_Line.jtp") returned 1 [0094.135] lstrlenW (lpString="Dotted_Line.jtp") returned 15 [0094.135] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Dotted_Line.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp" [0094.136] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp" [0094.136] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp" (normalized: "c:\\program files\\windows journal\\templates\\dotted_line.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\dotted_line.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.136] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.136] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.136] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.136] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.136] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.136] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Genko_1.jtp") returned 1 [0094.136] lstrlenW (lpString="Genko_1.jtp") returned 11 [0094.136] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.136] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Genko_1.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp" [0094.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp" [0094.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp" (normalized: "c:\\program files\\windows journal\\templates\\genko_1.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\genko_1.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.139] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.139] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.139] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.139] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.139] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Genko_2.jtp") returned 1 [0094.139] lstrlenW (lpString="Genko_2.jtp") returned 11 [0094.139] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.139] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Genko_2.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp" [0094.139] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp" [0094.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp" (normalized: "c:\\program files\\windows journal\\templates\\genko_2.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\genko_2.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.140] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.140] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.140] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.140] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.140] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Graph.jtp") returned 1 [0094.140] lstrlenW (lpString="Graph.jtp") returned 9 [0094.140] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.140] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Graph.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp" [0094.140] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp" [0094.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp" (normalized: "c:\\program files\\windows journal\\templates\\graph.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\graph.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.141] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.141] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.141] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.141] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Memo.jtp") returned -1 [0094.141] lstrlenW (lpString="Memo.jtp") returned 8 [0094.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Memo.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp" [0094.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp" [0094.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp" (normalized: "c:\\program files\\windows journal\\templates\\memo.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\memo.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.142] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.142] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.142] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.142] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.142] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Month_Calendar.jtp") returned -1 [0094.142] lstrlenW (lpString="Month_Calendar.jtp") returned 18 [0094.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.142] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Month_Calendar.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp" [0094.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp" [0094.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp" (normalized: "c:\\program files\\windows journal\\templates\\month_calendar.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\month_calendar.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.142] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.142] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.142] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.143] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.143] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Music.jtp") returned -1 [0094.143] lstrlenW (lpString="Music.jtp") returned 9 [0094.143] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.143] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.143] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Music.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp" [0094.143] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp" [0094.143] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.143] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp" (normalized: "c:\\program files\\windows journal\\templates\\music.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\music.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.143] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.143] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.143] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.143] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.143] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.143] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Seyes.jtp") returned -1 [0094.144] lstrlenW (lpString="Seyes.jtp") returned 9 [0094.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.144] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Seyes.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp" [0094.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp" [0094.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp" (normalized: "c:\\program files\\windows journal\\templates\\seyes.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\seyes.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.144] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.144] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.144] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.144] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.144] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Shorthand.jtp") returned -1 [0094.144] lstrlenW (lpString="Shorthand.jtp") returned 13 [0094.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.144] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Shorthand.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp" [0094.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp" [0094.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp" (normalized: "c:\\program files\\windows journal\\templates\\shorthand.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\shorthand.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.145] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 1 [0094.145] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" [0094.145] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\How To Restore Files.hta" (normalized: "c:\\program files\\windows journal\\templates\\how to restore files.hta")) returned 0x1 [0094.145] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="To_Do_List.jtp") returned -1 [0094.145] lstrlenW (lpString="To_Do_List.jtp") returned 14 [0094.145] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0094.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0094.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="To_Do_List.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp" [0094.145] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp" [0094.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp id-Br3n0G72wUb8CejT.LyaS" [0094.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp" (normalized: "c:\\program files\\windows journal\\templates\\to_do_list.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows journal\\templates\\to_do_list.jtp id-br3n0g72wub8cejt.lyas")) returned 0 [0094.146] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x175dfd28 | out: lpFindFileData=0x175dfd28) returned 0 [0094.146] FindClose (in: hFindFile=0x108050c8 | out: hFindFile=0x108050c8) returned 1 Thread: id = 312 os_tid = 0x808 [0091.916] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x16bdfd28 | out: lpFindFileData=0x16bdfd28) returned 0x10805788 [0091.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.916] FindNextFileW (in: hFindFile=0x10805788, lpFindFileData=0x16bdfd28 | out: lpFindFileData=0x16bdfd28) returned 1 [0091.917] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.917] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.917] FindNextFileW (in: hFindFile=0x10805788, lpFindFileData=0x16bdfd28 | out: lpFindFileData=0x16bdfd28) returned 1 [0091.917] lstrcpyW (in: lpString1=0x3e10348, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\*.*" [0091.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\*.*") returned 89 [0091.917] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0091.917] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsstore_2015.7.1.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsstore_2015.7.1.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.351] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x16bdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16bdfcf0, lpOverlapped=0x0) returned 0 [0094.351] CloseHandle (hObject=0xffffffff) returned 1 [0094.351] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 313 os_tid = 0xc88 [0091.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x1771fd28 | out: lpFindFileData=0x1771fd28) returned 0x2c9f148 [0093.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.418] FindNextFileW (in: hFindFile=0x2c9f148, lpFindFileData=0x1771fd28 | out: lpFindFileData=0x1771fd28) returned 1 [0093.727] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.727] FindNextFileW (in: hFindFile=0x2c9f148, lpFindFileData=0x1771fd28 | out: lpFindFileData=0x1771fd28) returned 1 [0093.727] lstrcpyW (in: lpString1=0x20fd8540, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.728] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 97 [0093.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.728] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsstore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsstore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.841] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1771fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1771fcf0, lpOverlapped=0x0) returned 0 [0095.841] CloseHandle (hObject=0xffffffff) returned 1 [0095.841] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.842] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.842] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.842] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 97 [0095.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsstore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowsstore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.971] FindNextFileW (in: hFindFile=0x2c9f148, lpFindFileData=0x1771fd28 | out: lpFindFileData=0x1771fd28) returned 1 [0095.971] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0095.971] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0095.971] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 Thread: id = 314 os_tid = 0x3dc [0091.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x1785fd28 | out: lpFindFileData=0x1785fd28) returned 0x2c9ef48 [0093.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.403] FindNextFileW (in: hFindFile=0x2c9ef48, lpFindFileData=0x1785fd28 | out: lpFindFileData=0x1785fd28) returned 1 [0093.403] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.403] FindNextFileW (in: hFindFile=0x2c9ef48, lpFindFileData=0x1785fd28 | out: lpFindFileData=0x1785fd28) returned 1 [0093.781] lstrcpyW (in: lpString1=0x210885a8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.781] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0093.781] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.760] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1785fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1785fcf0, lpOverlapped=0x0) returned 0 [0095.760] CloseHandle (hObject=0xffffffff) returned 1 [0095.760] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.763] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.763] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.763] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0095.764] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.764] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.764] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.378] FindNextFileW (in: hFindFile=0x2c9ef48, lpFindFileData=0x1785fd28 | out: lpFindFileData=0x1785fd28) returned 1 [0096.378] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0096.378] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0096.379] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0097.118] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0097.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0097.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0097.118] GlobalMemoryStatus (in: lpBuffer=0x1785fd08 | out: lpBuffer=0x1785fd08) [0097.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a710d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0097.119] CloseHandle (hObject=0x51c) returned 1 [0097.119] FindNextFileW (in: hFindFile=0x2c9ef48, lpFindFileData=0x1785fd28 | out: lpFindFileData=0x1785fd28) returned 1 [0097.119] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0097.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.119] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.119] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.120] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1785fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1785fcf0, lpOverlapped=0x0) returned 0 [0097.120] CloseHandle (hObject=0xffffffff) returned 1 [0097.120] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.120] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.120] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0097.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.121] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.123] FindNextFileW (in: hFindFile=0x2c9ef48, lpFindFileData=0x1785fd28 | out: lpFindFileData=0x1785fd28) returned 1 [0097.123] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.123] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.123] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.123] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 93 [0097.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.123] GlobalMemoryStatus (in: lpBuffer=0x1785fd08 | out: lpBuffer=0x1785fd08) [0097.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3df0328, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0097.124] CloseHandle (hObject=0x51c) returned 1 [0097.124] FindNextFileW (in: hFindFile=0x2c9ef48, lpFindFileData=0x1785fd28 | out: lpFindFileData=0x1785fd28) returned 0 [0097.124] FindClose (in: hFindFile=0x2c9ef48 | out: hFindFile=0x2c9ef48) returned 1 Thread: id = 315 os_tid = 0x88c [0091.919] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1799fd28 | out: lpFindFileData=0x1799fd28) returned 0x10805688 [0091.919] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.919] FindNextFileW (in: hFindFile=0x10805688, lpFindFileData=0x1799fd28 | out: lpFindFileData=0x1799fd28) returned 1 [0091.919] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.919] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.919] FindNextFileW (in: hFindFile=0x10805688, lpFindFileData=0x1799fd28 | out: lpFindFileData=0x1799fd28) returned 1 [0091.920] lstrcpyW (in: lpString1=0x5d78fe0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\*.*" [0091.920] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\*.*") returned 85 [0091.920] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0091.920] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_5.6.17000.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.xboxapp_5.6.17000.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.351] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1799fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1799fcf0, lpOverlapped=0x0) returned 0 [0094.351] CloseHandle (hObject=0xffffffff) returned 1 [0094.351] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 316 os_tid = 0x798 [0091.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x17adfd28 | out: lpFindFileData=0x17adfd28) returned 0x2c9f1c8 [0093.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.420] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x17adfd28 | out: lpFindFileData=0x17adfd28) returned 1 [0093.689] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.689] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.689] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x17adfd28 | out: lpFindFileData=0x17adfd28) returned 1 [0093.693] lstrcpyW (in: lpString1=0x20f38500, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.693] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0093.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.694] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.849] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17adfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17adfcf0, lpOverlapped=0x0) returned 0 [0095.849] CloseHandle (hObject=0xffffffff) returned 1 [0095.850] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.850] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.850] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.850] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.850] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0095.850] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.850] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.850] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.920] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x17adfd28 | out: lpFindFileData=0x17adfd28) returned 1 [0095.920] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0095.920] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0095.920] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0096.972] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" [0096.972] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0096.972] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0096.972] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0096.972] GlobalMemoryStatus (in: lpBuffer=0x17adfd08 | out: lpBuffer=0x17adfd08) [0096.972] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a60938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x324 [0096.973] CloseHandle (hObject=0x324) returned 1 [0096.973] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x17adfd28 | out: lpFindFileData=0x17adfd28) returned 1 [0096.977] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" [0096.977] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0096.977] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0096.977] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0096.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.978] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17adfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17adfcf0, lpOverlapped=0x0) returned 0 [0096.978] CloseHandle (hObject=0xffffffff) returned 1 [0096.978] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0096.979] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0096.979] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0096.979] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" [0096.979] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0096.979] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0096.979] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0096.979] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0096.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.354] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x17adfd28 | out: lpFindFileData=0x17adfd28) returned 1 [0097.354] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.354] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.354] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.359] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*" [0097.359] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0097.359] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.359] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.359] GlobalMemoryStatus (in: lpBuffer=0x17adfd08 | out: lpBuffer=0x17adfd08) [0097.359] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21589a98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.360] CloseHandle (hObject=0x430) returned 1 [0097.360] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x17adfd28 | out: lpFindFileData=0x17adfd28) returned 0 [0097.360] FindClose (in: hFindFile=0x2c9f1c8 | out: hFindFile=0x2c9f1c8) returned 1 Thread: id = 317 os_tid = 0x81c [0091.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*", lpFindFileData=0x17c1fd28 | out: lpFindFileData=0x17c1fd28) returned 0x10804a08 [0091.983] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.983] FindNextFileW (in: hFindFile=0x10804a08, lpFindFileData=0x17c1fd28 | out: lpFindFileData=0x17c1fd28) returned 1 [0091.983] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.983] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.983] FindNextFileW (in: hFindFile=0x10804a08, lpFindFileData=0x17c1fd28 | out: lpFindFileData=0x17c1fd28) returned 1 [0091.983] lstrcpyW (in: lpString1=0x10d9de50, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0091.983] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0091.983] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" [0091.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.346] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17c1fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17c1fcf0, lpOverlapped=0x0) returned 0 [0094.346] CloseHandle (hObject=0xffffffff) returned 1 [0094.346] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 318 os_tid = 0x550 [0091.921] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x17d5fd28 | out: lpFindFileData=0x17d5fd28) returned 0x10804bc8 [0092.004] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.004] FindNextFileW (in: hFindFile=0x10804bc8, lpFindFileData=0x17d5fd28 | out: lpFindFileData=0x17d5fd28) returned 1 [0092.004] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.004] FindNextFileW (in: hFindFile=0x10804bc8, lpFindFileData=0x17d5fd28 | out: lpFindFileData=0x17d5fd28) returned 1 [0092.004] lstrcpyW (in: lpString1=0x8b48ca0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\*.*" [0092.004] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\*.*") returned 87 [0092.004] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0092.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_3.6.10841.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0092.004] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_3.6.10841.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.346] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17d5fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17d5fcf0, lpOverlapped=0x0) returned 0 [0094.346] CloseHandle (hObject=0xffffffff) returned 1 [0094.347] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 319 os_tid = 0x554 [0091.921] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*", lpFindFileData=0x17e9fd28 | out: lpFindFileData=0x17e9fd28) returned 0x2c9f208 [0093.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.420] FindNextFileW (in: hFindFile=0x2c9f208, lpFindFileData=0x17e9fd28 | out: lpFindFileData=0x17e9fd28) returned 1 [0093.684] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.684] FindNextFileW (in: hFindFile=0x2c9f208, lpFindFileData=0x17e9fd28 | out: lpFindFileData=0x17e9fd28) returned 1 [0093.684] lstrcpyW (in: lpString1=0x20f104f0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" [0093.684] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0093.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0093.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0093.685] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.852] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17e9fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17e9fcf0, lpOverlapped=0x0) returned 0 [0095.852] CloseHandle (hObject=0xffffffff) returned 1 [0095.852] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.852] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.852] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.852] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0095.852] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.852] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.852] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0095.860] FindNextFileW (in: hFindFile=0x2c9f208, lpFindFileData=0x17e9fd28 | out: lpFindFileData=0x17e9fd28) returned 1 [0095.860] lstrcmpW (lpString1=".", lpString2="AppxMetadata") returned -1 [0095.860] lstrcmpW (lpString1="..", lpString2="AppxMetadata") returned -1 [0095.860] lstrcmpiW (lpString1="windows", lpString2="AppxMetadata") returned 1 [0095.860] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0095.860] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxMetadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata" [0095.860] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0095.860] GlobalMemoryStatus (in: lpBuffer=0x17e9fd08 | out: lpBuffer=0x17e9fd08) [0095.860] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3d40048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c0 [0095.861] CloseHandle (hObject=0x5c0) returned 1 [0095.861] FindNextFileW (in: hFindFile=0x2c9f208, lpFindFileData=0x17e9fd28 | out: lpFindFileData=0x17e9fd28) returned 1 [0095.861] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.861] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0095.861] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" [0095.861] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0095.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.862] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17e9fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17e9fcf0, lpOverlapped=0x0) returned 0 [0095.862] CloseHandle (hObject=0xffffffff) returned 1 [0095.862] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.863] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0095.863] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0095.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.863] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0095.863] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0095.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" [0095.863] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0095.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0095.863] FindNextFileW (in: hFindFile=0x2c9f208, lpFindFileData=0x17e9fd28 | out: lpFindFileData=0x17e9fd28) returned 1 [0095.863] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0095.863] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0095.863] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0095.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*" [0095.864] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\*.*") returned 95 [0095.864] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0095.864] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0095.864] GlobalMemoryStatus (in: lpBuffer=0x17e9fd08 | out: lpBuffer=0x17e9fd08) [0095.864] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e36118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c0 [0095.865] CloseHandle (hObject=0x5c0) returned 1 [0095.865] FindNextFileW (in: hFindFile=0x2c9f208, lpFindFileData=0x17e9fd28 | out: lpFindFileData=0x17e9fd28) returned 0 [0095.865] FindClose (in: hFindFile=0x2c9f208 | out: hFindFile=0x2c9f208) returned 1 Thread: id = 320 os_tid = 0x77c [0091.922] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*", lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 0x2c9e748 [0093.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 1 [0093.278] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 1 [0094.120] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0094.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0094.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" [0094.120] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0094.120] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.361] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17fdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fdfcf0, lpOverlapped=0x0) returned 0 [0094.361] CloseHandle (hObject=0xffffffff) returned 1 [0094.361] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0095.759] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBlockMap.xml") returned 1 [0095.759] lstrlenW (lpString="AppxBlockMap.xml") returned 16 [0095.759] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0095.759] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0095.759] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.759] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml" [0095.759] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" [0095.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\appxblockmap.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxBlockMap.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\appxblockmap.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.376] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 1 [0097.145] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0097.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0097.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.145] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.145] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.146] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17fdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fdfcf0, lpOverlapped=0x0) returned 0 [0097.146] CloseHandle (hObject=0xffffffff) returned 1 [0097.146] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.146] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxManifest.xml") returned 1 [0097.146] lstrlenW (lpString="AppxManifest.xml") returned 16 [0097.146] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0097.147] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0097.147] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml" [0097.147] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml" [0097.147] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0097.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\appxmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\appxmanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.147] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 1 [0097.147] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0097.147] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0097.147] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.147] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.148] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17fdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fdfcf0, lpOverlapped=0x0) returned 0 [0097.148] CloseHandle (hObject=0xffffffff) returned 1 [0097.148] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.148] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxSignature.p7x") returned 1 [0097.148] lstrlenW (lpString="AppxSignature.p7x") returned 17 [0097.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0097.148] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0097.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x" [0097.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" [0097.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\appxsignature.p7x"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\AppxSignature.p7x id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\appxsignature.p7x id-br3n0g72wub8cejt.lyas")) returned 0 [0097.149] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 1 [0097.149] lstrcmpW (lpString1=".", lpString2="Assets") returned -1 [0097.149] lstrcmpW (lpString1="..", lpString2="Assets") returned -1 [0097.149] lstrcmpiW (lpString1="windows", lpString2="Assets") returned 1 [0097.154] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0097.154] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0097.154] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="Assets" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\Assets") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\Assets" [0097.154] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\Assets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\Assets\\*.*" [0097.154] GlobalMemoryStatus (in: lpBuffer=0x17fdfd08 | out: lpBuffer=0x17fdfd08) [0097.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21060580, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4fc [0097.155] CloseHandle (hObject=0x4fc) returned 1 [0097.155] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 1 [0097.155] lstrcmpW (lpString1=".", lpString2="microsoft.system.package.metadata") returned -1 [0097.155] lstrcmpW (lpString1="..", lpString2="microsoft.system.package.metadata") returned -1 [0097.155] lstrcmpiW (lpString1="windows", lpString2="microsoft.system.package.metadata") returned 1 [0097.160] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0097.160] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0097.160] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="microsoft.system.package.metadata" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\microsoft.system.package.metadata") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\microsoft.system.package.metadata" [0097.160] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\microsoft.system.package.metadata", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*" [0097.160] GlobalMemoryStatus (in: lpBuffer=0x17fdfd08 | out: lpBuffer=0x17fdfd08) [0097.160] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20ed04e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4fc [0097.161] CloseHandle (hObject=0x4fc) returned 1 [0097.161] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 1 [0097.161] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0097.161] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0097.161] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" [0097.162] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0097.162] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.162] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x17fdfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fdfcf0, lpOverlapped=0x0) returned 0 [0097.162] CloseHandle (hObject=0xffffffff) returned 1 [0097.162] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0097.163] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="resources.pri") returned -1 [0097.163] lstrlenW (lpString="resources.pri") returned 13 [0097.163] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*" [0097.163] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\*.*") returned 110 [0097.163] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\", lpString2="resources.pri" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri" [0097.163] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri" [0097.163] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS" [0097.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\resources.pri id-br3n0g72wub8cejt.lyas")) returned 0 [0097.163] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x17fdfd28 | out: lpFindFileData=0x17fdfd28) returned 0 [0097.163] FindClose (in: hFindFile=0x2c9e748 | out: hFindFile=0x2c9e748) returned 1 Thread: id = 321 os_tid = 0x9a4 [0091.922] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\*.*", lpFindFileData=0x1811fd28 | out: lpFindFileData=0x1811fd28) returned 0x108056c8 [0091.923] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.923] FindNextFileW (in: hFindFile=0x108056c8, lpFindFileData=0x1811fd28 | out: lpFindFileData=0x1811fd28) returned 1 [0091.923] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.923] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.923] FindNextFileW (in: hFindFile=0x108056c8, lpFindFileData=0x1811fd28 | out: lpFindFileData=0x1811fd28) returned 1 [0091.925] lstrcpyW (in: lpString1=0x3f34880, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\*.*" [0091.925] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\*.*") returned 87 [0091.926] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" [0091.926] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_x64__8wekyb3d8bbwe\\how to restore files.hta")) returned 0xffffffff [0091.926] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_3.6.10811.0_x64__8wekyb3d8bbwe\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.352] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1811fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1811fcf0, lpOverlapped=0x0) returned 0 [0094.352] CloseHandle (hObject=0xffffffff) returned 1 [0094.352] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 Thread: id = 322 os_tid = 0x9a8 [0091.926] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*", lpFindFileData=0x1825fd28 | out: lpFindFileData=0x1825fd28) returned 0x10804fc8 [0091.927] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.927] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0x1825fd28 | out: lpFindFileData=0x1825fd28) returned 1 [0091.927] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.927] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.927] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0x1825fd28 | out: lpFindFileData=0x1825fd28) returned 1 [0091.929] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0091.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0091.929] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" [0091.929] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\en-us\\how to restore files.hta")) returned 0xffffffff [0091.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x498 [0091.960] WriteFile (in: hFile=0x498, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1825fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1825fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.960] CloseHandle (hObject=0x498) returned 1 [0091.961] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0091.961] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ImagingDevices.exe.mui") returned -1 [0091.961] lstrlenW (lpString="ImagingDevices.exe.mui") returned 22 [0091.961] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0091.961] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0091.961] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="ImagingDevices.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" [0091.961] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" [0091.961] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0091.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" (normalized: "c:\\program files\\windows photo viewer\\en-us\\imagingdevices.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\en-us\\imagingdevices.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0091.961] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0x1825fd28 | out: lpFindFileData=0x1825fd28) returned 1 [0091.962] lstrcpyW (in: lpString1=0x9041e78, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0091.962] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0091.962] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" [0091.962] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\en-us\\how to restore files.hta")) returned 0x1 [0091.962] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotoAcq.dll.mui") returned -1 [0091.962] lstrlenW (lpString="PhotoAcq.dll.mui") returned 16 [0091.962] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0091.962] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0091.962] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="PhotoAcq.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" [0091.962] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" [0091.962] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0091.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" (normalized: "c:\\program files\\windows photo viewer\\en-us\\photoacq.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\en-us\\photoacq.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0092.216] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0x1825fd28 | out: lpFindFileData=0x1825fd28) returned 1 [0092.216] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0092.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0092.216] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" [0092.216] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows photo viewer\\en-us\\how to restore files.hta")) returned 0x1 [0092.216] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotoViewer.dll.mui") returned -1 [0092.216] lstrlenW (lpString="PhotoViewer.dll.mui") returned 19 [0092.216] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0092.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0092.216] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="PhotoViewer.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" [0092.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" [0092.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0092.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" (normalized: "c:\\program files\\windows photo viewer\\en-us\\photoviewer.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows photo viewer\\en-us\\photoviewer.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0092.217] FindNextFileW (in: hFindFile=0x10804fc8, lpFindFileData=0x1825fd28 | out: lpFindFileData=0x1825fd28) returned 0 [0092.217] FindClose (in: hFindFile=0x10804fc8 | out: hFindFile=0x10804fc8) returned 1 Thread: id = 323 os_tid = 0x9ac [0091.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*", lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 0x10805008 [0091.931] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.931] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0091.931] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.931] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.931] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0091.933] lstrcpyW (in: lpString1=0x2c962d0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0091.933] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0091.933] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0091.933] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0xffffffff [0091.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x498 [0091.964] WriteFile (in: hFile=0x498, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1839fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1839fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0091.965] CloseHandle (hObject=0x498) returned 1 [0091.965] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.887] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mpvis.dll.mui") returned -1 [0094.887] lstrlenW (lpString="mpvis.dll.mui") returned 13 [0094.887] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0094.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0094.887] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="mpvis.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui" [0094.887] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui" [0094.887] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0094.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\mpvis.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\mpvis.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0096.317] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0097.364] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0097.364] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0097.364] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0097.364] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0097.364] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="setup_wm.exe.mui") returned -1 [0097.364] lstrlenW (lpString="setup_wm.exe.mui") returned 16 [0097.364] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0097.364] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0097.364] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="setup_wm.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui" [0097.364] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui" [0097.364] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0097.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\setup_wm.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\setup_wm.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.119] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0098.119] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0098.119] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0098.119] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmlaunch.exe.mui") returned -1 [0098.119] lstrlenW (lpString="wmlaunch.exe.mui") returned 16 [0098.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmlaunch.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui" [0098.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui" [0098.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0098.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmlaunch.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\wmlaunch.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.120] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0098.120] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0098.120] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0098.120] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmplayer.exe.mui") returned -1 [0098.120] lstrlenW (lpString="wmplayer.exe.mui") returned 16 [0098.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmplayer.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui" [0098.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui" [0098.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0098.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmplayer.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\wmplayer.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.122] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0098.122] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.123] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0098.123] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0098.123] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WMPMediaSharing.dll.mui") returned -1 [0098.123] lstrlenW (lpString="WMPMediaSharing.dll.mui") returned 23 [0098.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.123] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="WMPMediaSharing.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" [0098.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" [0098.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0098.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpmediasharing.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\wmpmediasharing.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.123] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0098.123] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.123] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.123] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0098.123] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0098.124] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpnetwk.exe.mui") returned -1 [0098.124] lstrlenW (lpString="wmpnetwk.exe.mui") returned 16 [0098.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmpnetwk.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui" [0098.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui" [0098.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0098.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnetwk.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnetwk.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.124] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0098.124] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0098.124] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0098.124] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpnscfg.exe.mui") returned -1 [0098.124] lstrlenW (lpString="wmpnscfg.exe.mui") returned 16 [0098.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmpnscfg.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui" [0098.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui" [0098.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0098.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnscfg.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnscfg.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.125] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0098.125] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0098.125] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0098.126] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpnssci.dll.mui") returned -1 [0098.126] lstrlenW (lpString="wmpnssci.dll.mui") returned 16 [0098.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.126] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmpnssci.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui" [0098.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui" [0098.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0098.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnssci.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnssci.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.127] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0098.127] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0098.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0098.127] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wmpnssui.dll.mui") returned -1 [0098.127] lstrlenW (lpString="wmpnssui.dll.mui") returned 16 [0098.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmpnssui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui" [0098.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui" [0098.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0098.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnssui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnssui.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.128] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 1 [0098.128] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" [0098.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\en-us\\how to restore files.hta")) returned 0x1 [0098.128] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WMPSideShowGadget.exe.mui") returned -1 [0098.128] lstrlenW (lpString="WMPSideShowGadget.exe.mui") returned 25 [0098.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0098.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0098.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="WMPSideShowGadget.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui" [0098.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui" [0098.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui id-Br3n0G72wUb8CejT.LyaS" [0098.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpsideshowgadget.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\en-us\\wmpsideshowgadget.exe.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0098.129] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0x1839fd28 | out: lpFindFileData=0x1839fd28) returned 0 [0098.129] FindClose (in: hFindFile=0x10805008 | out: hFindFile=0x10805008) returned 1 Thread: id = 324 os_tid = 0x994 [0091.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons\\*.*", lpFindFileData=0x184dfd28 | out: lpFindFileData=0x184dfd28) returned 0x2c9e788 [0093.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x184dfd28 | out: lpFindFileData=0x184dfd28) returned 1 [0093.278] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x184dfd28 | out: lpFindFileData=0x184dfd28) returned 0 [0093.278] FindClose (in: hFindFile=0x2c9e788 | out: hFindFile=0x2c9e788) returned 1 Thread: id = 325 os_tid = 0x9a0 [0091.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*", lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 0x5c8d10 [0094.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.635] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0094.635] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.635] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0094.886] lstrcpyW (in: lpString1=0x3df8330, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0094.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0094.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" [0094.886] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta")) returned 0xffffffff [0094.886] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0096.500] WriteFile (in: hFile=0x2e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1861fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1861fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0096.501] CloseHandle (hObject=0x2e8) returned 1 [0096.501] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0097.014] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="avtransport.xml") returned 1 [0097.014] lstrlenW (lpString="avtransport.xml") returned 15 [0097.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0097.014] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0097.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="avtransport.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" [0097.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" [0097.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml id-Br3n0G72wUb8CejT.LyaS" [0097.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\avtransport.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\media renderer\\avtransport.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.108] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0097.109] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0097.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0097.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" [0097.109] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta")) returned 0x1 [0097.109] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="connectionmanager_dmr.xml") returned 1 [0097.109] lstrlenW (lpString="connectionmanager_dmr.xml") returned 25 [0097.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0097.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0097.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="connectionmanager_dmr.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" [0097.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" [0097.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml id-Br3n0G72wUb8CejT.LyaS" [0097.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.095] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0099.521] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" [0099.521] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta")) returned 0x1 [0099.521] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DMR_120.jpg") returned 1 [0099.521] lstrlenW (lpString="DMR_120.jpg") returned 11 [0099.522] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="DMR_120.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" [0099.522] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" [0099.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg id-Br3n0G72wUb8CejT.LyaS" [0099.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg id-br3n0g72wub8cejt.lyas")) returned 0 [0099.522] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0099.522] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" [0099.522] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta")) returned 0x1 [0099.522] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DMR_120.png") returned 1 [0099.522] lstrlenW (lpString="DMR_120.png") returned 11 [0099.522] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="DMR_120.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" [0099.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" [0099.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png id-Br3n0G72wUb8CejT.LyaS" [0099.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png id-br3n0g72wub8cejt.lyas")) returned 0 [0099.523] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0099.523] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" [0099.523] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta")) returned 0x1 [0099.523] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DMR_48.jpg") returned 1 [0099.523] lstrlenW (lpString="DMR_48.jpg") returned 10 [0099.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="DMR_48.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg" [0099.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg" [0099.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg id-Br3n0G72wUb8CejT.LyaS" [0099.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.jpg id-br3n0g72wub8cejt.lyas")) returned 0 [0099.544] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0099.548] lstrcpyW (in: lpString1=0x21adb0c8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.548] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.548] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" [0099.548] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta")) returned 0x1 [0099.549] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DMR_48.png") returned 1 [0099.549] lstrlenW (lpString="DMR_48.png") returned 10 [0099.549] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.549] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.549] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="DMR_48.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png" [0099.549] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png" [0099.549] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png id-Br3n0G72wUb8CejT.LyaS" [0099.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.png id-br3n0g72wub8cejt.lyas")) returned 0 [0099.549] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0099.550] lstrcpyW (in: lpString1=0x21adb0c8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.550] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.550] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" [0099.550] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta")) returned 0x1 [0099.550] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="RenderingControl.xml") returned -1 [0099.550] lstrlenW (lpString="RenderingControl.xml") returned 20 [0099.550] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.550] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.550] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="RenderingControl.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml" [0099.550] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml" [0099.550] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml id-Br3n0G72wUb8CejT.LyaS" [0099.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\renderingcontrol.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\media renderer\\renderingcontrol.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.582] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 1 [0099.586] lstrcpyW (in: lpString1=0x21b43270, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.586] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" [0099.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\how to restore files.hta")) returned 0x1 [0099.586] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="RenderingControl_DMP.xml") returned -1 [0099.586] lstrlenW (lpString="RenderingControl_DMP.xml") returned 24 [0099.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0099.586] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0099.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="RenderingControl_DMP.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml" [0099.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml" [0099.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml id-Br3n0G72wUb8CejT.LyaS" [0099.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\renderingcontrol_dmp.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl_DMP.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windows media player\\media renderer\\renderingcontrol_dmp.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.587] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x1861fd28 | out: lpFindFileData=0x1861fd28) returned 0 [0099.587] FindClose (in: hFindFile=0x5c8d10 | out: hFindFile=0x5c8d10) returned 1 Thread: id = 326 os_tid = 0x9c0 [0091.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*", lpFindFileData=0x1875fd28 | out: lpFindFileData=0x1875fd28) returned 0x10804a48 [0091.953] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.953] FindNextFileW (in: hFindFile=0x10804a48, lpFindFileData=0x1875fd28 | out: lpFindFileData=0x1875fd28) returned 1 [0092.010] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.010] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.010] FindNextFileW (in: hFindFile=0x10804a48, lpFindFileData=0x1875fd28 | out: lpFindFileData=0x1875fd28) returned 1 [0092.012] lstrcpyW (in: lpString1=0x3e24360, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*" [0092.012] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*") returned 65 [0092.012] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\How To Restore Files.hta" [0092.012] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\how to restore files.hta")) returned 0xffffffff [0092.012] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x584 [0096.215] WriteFile (in: hFile=0x584, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1875fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1875fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0096.216] CloseHandle (hObject=0x584) returned 1 [0096.216] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0100.752] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2=".LNK") returned 1 [0100.752] lstrlenW (lpString=".LNK") returned 4 [0100.752] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*" [0100.752] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*") returned 65 [0100.752] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\", lpString2=".LNK" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK" [0100.752] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK" [0100.752] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK id-Br3n0G72wUb8CejT.LyaS" [0100.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\.lnk"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\.LNK id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\.lnk id-br3n0g72wub8cejt.lyas")) Thread: id = 327 os_tid = 0x9bc [0091.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*", lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 0x10804a88 [0091.987] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.987] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0091.988] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.988] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.988] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0091.988] lstrcpyW (in: lpString1=0x8b38c90, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0091.988] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0091.988] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0091.988] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0xffffffff [0091.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.609] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1889fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1889fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.610] CloseHandle (hObject=0x4b4) returned 1 [0094.612] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.892] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Alphabet.xml") returned 1 [0094.893] lstrlenW (lpString="Alphabet.xml") returned 12 [0094.893] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0094.893] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0094.893] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="Alphabet.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" [0094.893] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" [0094.893] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml id-Br3n0G72wUb8CejT.LyaS" [0094.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.317] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0096.317] lstrcmpW (lpString1=".", lpString2="ar-SA") returned -1 [0096.318] lstrcmpW (lpString1="..", lpString2="ar-SA") returned -1 [0096.318] lstrcmpiW (lpString1="windows", lpString2="ar-SA") returned 1 [0097.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ar-SA" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA" [0097.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*" [0097.246] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.246] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e7e250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.247] CloseHandle (hObject=0x430) returned 1 [0097.247] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.247] lstrcmpW (lpString1=".", lpString2="bg-BG") returned -1 [0097.247] lstrcmpW (lpString1="..", lpString2="bg-BG") returned -1 [0097.247] lstrcmpiW (lpString1="windows", lpString2="bg-BG") returned 1 [0097.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="bg-BG" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG" [0097.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*" [0097.252] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.252] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21481620, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.253] CloseHandle (hObject=0x430) returned 1 [0097.253] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.253] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0097.253] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0097.253] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Content.xml") returned 1 [0097.253] lstrlenW (lpString="Content.xml") returned 11 [0097.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="Content.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" [0097.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" [0097.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml id-Br3n0G72wUb8CejT.LyaS" [0097.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.254] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.254] lstrcmpW (lpString1=".", lpString2="cs-CZ") returned -1 [0097.254] lstrcmpW (lpString1="..", lpString2="cs-CZ") returned -1 [0097.254] lstrcmpiW (lpString1="windows", lpString2="cs-CZ") returned 1 [0097.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.259] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="cs-CZ" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ" [0097.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*" [0097.259] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.259] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21499688, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.259] CloseHandle (hObject=0x430) returned 1 [0097.260] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.260] lstrcmpW (lpString1=".", lpString2="da-DK") returned -1 [0097.260] lstrcmpW (lpString1="..", lpString2="da-DK") returned -1 [0097.260] lstrcmpiW (lpString1="windows", lpString2="da-DK") returned 1 [0097.265] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.265] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.265] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="da-DK" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK" [0097.265] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*" [0097.265] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x214b16f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.266] CloseHandle (hObject=0x430) returned 1 [0097.266] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.266] lstrcmpW (lpString1=".", lpString2="de-DE") returned -1 [0097.266] lstrcmpW (lpString1="..", lpString2="de-DE") returned -1 [0097.266] lstrcmpiW (lpString1="windows", lpString2="de-DE") returned 1 [0097.270] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.270] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="de-DE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE" [0097.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*" [0097.270] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.270] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x214c9758, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.271] CloseHandle (hObject=0x430) returned 1 [0097.271] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.271] lstrcmpW (lpString1=".", lpString2="el-GR") returned -1 [0097.271] lstrcmpW (lpString1="..", lpString2="el-GR") returned -1 [0097.271] lstrcmpiW (lpString1="windows", lpString2="el-GR") returned 1 [0097.276] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.276] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.276] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="el-GR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR" [0097.276] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*" [0097.276] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.276] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x214e17c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.277] CloseHandle (hObject=0x430) returned 1 [0097.277] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.277] lstrcmpW (lpString1=".", lpString2="en-GB") returned -1 [0097.277] lstrcmpW (lpString1="..", lpString2="en-GB") returned -1 [0097.277] lstrcmpiW (lpString1="windows", lpString2="en-GB") returned 1 [0097.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="en-GB" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB" [0097.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*" [0097.282] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.282] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x214f9828, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.283] CloseHandle (hObject=0x430) returned 1 [0097.283] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.283] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0097.283] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0097.283] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0097.288] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US" [0097.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0097.288] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.288] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21511890, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.289] CloseHandle (hObject=0x430) returned 1 [0097.289] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.289] lstrcmpW (lpString1=".", lpString2="es-ES") returned -1 [0097.289] lstrcmpW (lpString1="..", lpString2="es-ES") returned -1 [0097.289] lstrcmpiW (lpString1="windows", lpString2="es-ES") returned 1 [0097.338] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.338] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.338] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="es-ES" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES" [0097.339] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*" [0097.339] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x215298f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.339] CloseHandle (hObject=0x430) returned 1 [0097.339] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.339] lstrcmpW (lpString1=".", lpString2="es-MX") returned -1 [0097.340] lstrcmpW (lpString1="..", lpString2="es-MX") returned -1 [0097.340] lstrcmpiW (lpString1="windows", lpString2="es-MX") returned 1 [0097.340] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.340] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="es-MX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX" [0097.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*.*" [0097.340] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.340] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21541960, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.341] CloseHandle (hObject=0x430) returned 1 [0097.341] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.341] lstrcmpW (lpString1=".", lpString2="et-EE") returned -1 [0097.341] lstrcmpW (lpString1="..", lpString2="et-EE") returned -1 [0097.341] lstrcmpiW (lpString1="windows", lpString2="et-EE") returned 1 [0097.346] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.346] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.346] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="et-EE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE" [0097.346] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*" [0097.346] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.346] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x215599c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.347] CloseHandle (hObject=0x430) returned 1 [0097.347] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.347] lstrcmpW (lpString1=".", lpString2="fi-FI") returned -1 [0097.347] lstrcmpW (lpString1="..", lpString2="fi-FI") returned -1 [0097.347] lstrcmpiW (lpString1="windows", lpString2="fi-FI") returned 1 [0097.351] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.351] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="fi-FI" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI" [0097.351] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*" [0097.351] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0097.351] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21571a30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.352] CloseHandle (hObject=0x430) returned 1 [0097.352] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0097.352] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.352] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.352] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0097.352] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0097.353] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="FlickAnimation.avi") returned 1 [0097.353] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0097.353] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0097.353] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0097.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="FlickAnimation.avi" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" [0097.353] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" [0097.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi id-Br3n0G72wUb8CejT.LyaS" [0097.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi id-br3n0g72wub8cejt.lyas")) returned 0 [0099.201] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.370] lstrcpyW (in: lpString1=0x21120820, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.370] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.370] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.370] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.371] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="FlickLearningWizard.exe") returned 1 [0099.371] lstrlenW (lpString="FlickLearningWizard.exe") returned 23 [0099.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="FlickLearningWizard.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" [0099.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" [0099.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe id-Br3n0G72wUb8CejT.LyaS" [0099.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0099.379] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.379] lstrcmpW (lpString1=".", lpString2="fr-CA") returned -1 [0099.379] lstrcmpW (lpString1="..", lpString2="fr-CA") returned -1 [0099.379] lstrcmpiW (lpString1="windows", lpString2="fr-CA") returned 1 [0099.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.384] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="fr-CA" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA" [0099.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-CA\\*.*" [0099.384] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0099.384] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21a02dc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.385] CloseHandle (hObject=0x548) returned 1 [0099.385] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.385] lstrcmpW (lpString1=".", lpString2="fr-FR") returned -1 [0099.385] lstrcmpW (lpString1="..", lpString2="fr-FR") returned -1 [0099.386] lstrcmpiW (lpString1="windows", lpString2="fr-FR") returned 1 [0099.391] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.392] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.392] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="fr-FR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR" [0099.392] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*.*" [0099.392] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0099.392] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21a1ae28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.393] CloseHandle (hObject=0x548) returned 1 [0099.393] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.393] lstrcmpW (lpString1=".", lpString2="fsdefinitions") returned -1 [0099.393] lstrcmpW (lpString1="..", lpString2="fsdefinitions") returned -1 [0099.393] lstrcmpiW (lpString1="windows", lpString2="fsdefinitions") returned 1 [0099.398] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.398] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.398] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="fsdefinitions" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions" [0099.398] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*.*" [0099.398] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0099.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21a32e90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.399] CloseHandle (hObject=0x548) returned 1 [0099.399] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.399] lstrcmpW (lpString1=".", lpString2="he-IL") returned -1 [0099.399] lstrcmpW (lpString1="..", lpString2="he-IL") returned -1 [0099.399] lstrcmpiW (lpString1="windows", lpString2="he-IL") returned 1 [0099.405] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.405] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.405] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="he-IL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL" [0099.405] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*.*" [0099.405] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0099.405] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21a4aef8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.406] CloseHandle (hObject=0x548) returned 1 [0099.406] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.406] lstrcmpW (lpString1=".", lpString2="hr-HR") returned -1 [0099.406] lstrcmpW (lpString1="..", lpString2="hr-HR") returned -1 [0099.406] lstrcmpiW (lpString1="windows", lpString2="hr-HR") returned 1 [0099.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.411] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="hr-HR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR" [0099.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*.*" [0099.411] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0099.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21a62f60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0099.413] CloseHandle (hObject=0x548) returned 1 [0099.413] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.413] lstrcmpW (lpString1=".", lpString2="hu-HU") returned -1 [0099.413] lstrcmpW (lpString1="..", lpString2="hu-HU") returned -1 [0099.413] lstrcmpiW (lpString1="windows", lpString2="hu-HU") returned 1 [0099.433] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.433] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="hu-HU" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU" [0099.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*.*" [0099.433] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0099.434] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21a7afc8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0099.434] CloseHandle (hObject=0x438) returned 1 [0099.434] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.434] lstrcpyW (in: lpString1=0x21a93030, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.435] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.435] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.435] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hwrcommonlm.dat") returned -1 [0099.435] lstrlenW (lpString="hwrcommonlm.dat") returned 15 [0099.435] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.435] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="hwrcommonlm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" [0099.435] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" [0099.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat id-Br3n0G72wUb8CejT.LyaS" [0099.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat id-br3n0g72wub8cejt.lyas")) returned 0 [0099.436] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.436] lstrcmpW (lpString1=".", lpString2="HWRCustomization") returned -1 [0099.436] lstrcmpW (lpString1="..", lpString2="HWRCustomization") returned -1 [0099.436] lstrcmpiW (lpString1="windows", lpString2="HWRCustomization") returned 1 [0099.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.436] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="HWRCustomization" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization" [0099.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*" [0099.436] GlobalMemoryStatus (in: lpBuffer=0x1889fd08 | out: lpBuffer=0x1889fd08) [0099.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ad1270, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0099.437] CloseHandle (hObject=0x438) returned 1 [0099.437] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.438] lstrcpyW (in: lpString1=0x21a93030, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.438] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.438] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hwrenclm.dat") returned -1 [0099.438] lstrlenW (lpString="hwrenclm.dat") returned 12 [0099.438] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.438] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="hwrenclm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" [0099.438] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" [0099.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat id-Br3n0G72wUb8CejT.LyaS" [0099.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat id-br3n0g72wub8cejt.lyas")) returned 0 [0099.469] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.469] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.469] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.469] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.469] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hwrlatinlm.dat") returned -1 [0099.469] lstrlenW (lpString="hwrlatinlm.dat") returned 14 [0099.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.469] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="hwrlatinlm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" [0099.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" [0099.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat id-Br3n0G72wUb8CejT.LyaS" [0099.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat id-br3n0g72wub8cejt.lyas")) returned 0 [0099.470] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.470] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.470] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.470] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hwrusalm.dat") returned -1 [0099.470] lstrlenW (lpString="hwrusalm.dat") returned 12 [0099.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="hwrusalm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" [0099.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" [0099.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat id-Br3n0G72wUb8CejT.LyaS" [0099.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat id-br3n0g72wub8cejt.lyas")) returned 0 [0099.471] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.471] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.471] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.471] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.471] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.472] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hwrusash.dat") returned -1 [0099.472] lstrlenW (lpString="hwrusash.dat") returned 12 [0099.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="hwrusash.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" [0099.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" [0099.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat id-Br3n0G72wUb8CejT.LyaS" [0099.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat id-br3n0g72wub8cejt.lyas")) returned 0 [0099.474] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.474] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.474] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.474] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.474] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.474] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="InkDiv.dll") returned -1 [0099.474] lstrlenW (lpString="InkDiv.dll") returned 10 [0099.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.474] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.474] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="InkDiv.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" [0099.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" [0099.474] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll id-Br3n0G72wUb8CejT.LyaS" [0099.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.475] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.475] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.475] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.475] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.475] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="InkObj.dll") returned -1 [0099.475] lstrlenW (lpString="InkObj.dll") returned 10 [0099.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.475] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="InkObj.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" [0099.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" [0099.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll id-Br3n0G72wUb8CejT.LyaS" [0099.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.476] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.476] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.476] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.476] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="InputPersonalization.exe") returned -1 [0099.476] lstrlenW (lpString="InputPersonalization.exe") returned 24 [0099.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="InputPersonalization.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" [0099.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" [0099.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe id-Br3n0G72wUb8CejT.LyaS" [0099.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0099.476] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.476] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.477] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.477] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.477] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsar.xml") returned -1 [0099.477] lstrlenW (lpString="ipsar.xml") returned 9 [0099.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.477] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsar.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" [0099.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" [0099.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml id-Br3n0G72wUb8CejT.LyaS" [0099.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.478] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.478] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.478] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.478] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.479] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipscat.xml") returned -1 [0099.479] lstrlenW (lpString="ipscat.xml") returned 10 [0099.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipscat.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" [0099.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" [0099.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml id-Br3n0G72wUb8CejT.LyaS" [0099.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.479] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.479] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.479] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.480] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipschs.xml") returned -1 [0099.480] lstrlenW (lpString="ipschs.xml") returned 10 [0099.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipschs.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" [0099.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" [0099.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml id-Br3n0G72wUb8CejT.LyaS" [0099.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.480] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.480] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.480] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.480] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipscht.xml") returned -1 [0099.480] lstrlenW (lpString="ipscht.xml") returned 10 [0099.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipscht.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" [0099.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" [0099.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml id-Br3n0G72wUb8CejT.LyaS" [0099.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.481] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.481] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.481] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipscsy.xml") returned -1 [0099.481] lstrlenW (lpString="ipscsy.xml") returned 10 [0099.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipscsy.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" [0099.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" [0099.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml id-Br3n0G72wUb8CejT.LyaS" [0099.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.482] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.482] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.482] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.482] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.482] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.482] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsdan.xml") returned -1 [0099.482] lstrlenW (lpString="ipsdan.xml") returned 10 [0099.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.482] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.482] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsdan.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" [0099.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" [0099.482] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml id-Br3n0G72wUb8CejT.LyaS" [0099.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.483] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.483] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.483] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.483] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.483] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsdeu.xml") returned -1 [0099.483] lstrlenW (lpString="ipsdeu.xml") returned 10 [0099.483] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.483] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsdeu.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" [0099.483] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" [0099.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml id-Br3n0G72wUb8CejT.LyaS" [0099.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.483] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.484] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.484] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.484] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsel.xml") returned -1 [0099.484] lstrlenW (lpString="ipsel.xml") returned 9 [0099.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.484] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsel.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" [0099.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" [0099.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml id-Br3n0G72wUb8CejT.LyaS" [0099.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.508] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.508] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.508] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsen.xml") returned -1 [0099.508] lstrlenW (lpString="ipsen.xml") returned 9 [0099.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsen.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" [0099.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" [0099.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml id-Br3n0G72wUb8CejT.LyaS" [0099.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.509] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.509] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.509] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.509] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.509] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsesp.xml") returned -1 [0099.509] lstrlenW (lpString="ipsesp.xml") returned 10 [0099.509] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.509] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsesp.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" [0099.509] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" [0099.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml id-Br3n0G72wUb8CejT.LyaS" [0099.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.510] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.510] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.510] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.510] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.510] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.510] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="IPSEventLogMsg.dll") returned -1 [0099.510] lstrlenW (lpString="IPSEventLogMsg.dll") returned 18 [0099.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.511] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="IPSEventLogMsg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" [0099.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" [0099.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll id-Br3n0G72wUb8CejT.LyaS" [0099.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.511] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.511] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.511] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.511] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.511] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsfin.xml") returned -1 [0099.511] lstrlenW (lpString="ipsfin.xml") returned 10 [0099.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.511] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.512] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsfin.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" [0099.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" [0099.512] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml id-Br3n0G72wUb8CejT.LyaS" [0099.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.513] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.513] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.513] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.513] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsfra.xml") returned -1 [0099.513] lstrlenW (lpString="ipsfra.xml") returned 10 [0099.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsfra.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" [0099.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" [0099.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml id-Br3n0G72wUb8CejT.LyaS" [0099.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.514] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.514] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.514] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.514] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipshe.xml") returned -1 [0099.514] lstrlenW (lpString="ipshe.xml") returned 9 [0099.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipshe.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" [0099.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" [0099.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml id-Br3n0G72wUb8CejT.LyaS" [0099.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.515] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.515] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.515] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.515] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.515] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipshi.xml") returned -1 [0099.515] lstrlenW (lpString="ipshi.xml") returned 9 [0099.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.515] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipshi.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" [0099.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" [0099.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml id-Br3n0G72wUb8CejT.LyaS" [0099.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.516] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.516] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.516] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.516] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipshrv.xml") returned -1 [0099.516] lstrlenW (lpString="ipshrv.xml") returned 10 [0099.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.516] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipshrv.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" [0099.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" [0099.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml id-Br3n0G72wUb8CejT.LyaS" [0099.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.517] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.517] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.517] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.517] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.517] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsid.xml") returned -1 [0099.517] lstrlenW (lpString="ipsid.xml") returned 9 [0099.517] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.518] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsid.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" [0099.518] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" [0099.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml id-Br3n0G72wUb8CejT.LyaS" [0099.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.518] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.518] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.518] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.518] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.518] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsita.xml") returned -1 [0099.518] lstrlenW (lpString="ipsita.xml") returned 10 [0099.518] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.519] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsita.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" [0099.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" [0099.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml id-Br3n0G72wUb8CejT.LyaS" [0099.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.519] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.519] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.519] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.519] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.519] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipsjpn.xml") returned -1 [0099.519] lstrlenW (lpString="ipsjpn.xml") returned 10 [0099.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.519] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipsjpn.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" [0099.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" [0099.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml id-Br3n0G72wUb8CejT.LyaS" [0099.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0099.520] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0099.520] lstrcpyW (in: lpString1=0x21acb0b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0099.520] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0099.520] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ipskor.xml") returned -1 [0099.520] lstrlenW (lpString="ipskor.xml") returned 10 [0099.520] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0099.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0099.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="ipskor.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" [0099.520] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" [0099.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml id-Br3n0G72wUb8CejT.LyaS" [0099.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0100.685] FindNextFileW (in: hFindFile=0x10804a88, lpFindFileData=0x1889fd28 | out: lpFindFileData=0x1889fd28) returned 1 [0100.690] lstrcpyW (in: lpString1=0x21bd33f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0100.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0100.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" [0100.690] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0100.690] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="IpsMigrationPlugin.dll") returned -1 [0100.690] lstrlenW (lpString="IpsMigrationPlugin.dll") returned 22 [0100.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0100.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned 58 [0100.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\", lpString2="IpsMigrationPlugin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" [0100.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" [0100.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll id-Br3n0G72wUb8CejT.LyaS" [0100.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll id-br3n0g72wub8cejt.lyas")) Thread: id = 328 os_tid = 0x9c4 [0091.954] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*", lpFindFileData=0x189dfd28 | out: lpFindFileData=0x189dfd28) returned 0x2c9e808 [0093.282] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.282] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x189dfd28 | out: lpFindFileData=0x189dfd28) returned 1 [0093.282] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.282] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x189dfd28 | out: lpFindFileData=0x189dfd28) returned 1 [0093.282] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0093.282] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0093.282] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0094.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*" [0094.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*") returned 61 [0094.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US" [0094.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*" [0094.106] GlobalMemoryStatus (in: lpBuffer=0x189dfd08 | out: lpBuffer=0x189dfd08) [0094.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5ded18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x598 [0094.107] CloseHandle (hObject=0x598) returned 1 [0094.108] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x189dfd28 | out: lpFindFileData=0x189dfd28) returned 1 [0094.108] lstrcpyW (in: lpString1=0x8b18c20, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*" [0094.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*") returned 61 [0094.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\How To Restore Files.hta" [0094.108] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\how to restore files.hta")) returned 0xffffffff [0094.108] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.606] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x189dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x189dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.607] CloseHandle (hObject=0x4b4) returned 1 [0094.608] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.894] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msinfo32.exe") returned -1 [0094.894] lstrlenW (lpString="msinfo32.exe") returned 12 [0094.894] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*" [0094.894] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*") returned 61 [0094.895] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\", lpString2="msinfo32.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" [0094.895] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" [0094.895] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe id-Br3n0G72wUb8CejT.LyaS" [0094.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0096.348] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x189dfd28 | out: lpFindFileData=0x189dfd28) returned 0 [0096.349] FindClose (in: hFindFile=0x2c9e808 | out: hFindFile=0x2c9e808) returned 1 Thread: id = 329 os_tid = 0x9c8 [0091.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*", lpFindFileData=0x18b1fd28 | out: lpFindFileData=0x18b1fd28) returned 0x2c9e348 [0093.386] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.386] FindNextFileW (in: hFindFile=0x2c9e348, lpFindFileData=0x18b1fd28 | out: lpFindFileData=0x18b1fd28) returned 1 [0093.386] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.386] FindNextFileW (in: hFindFile=0x2c9e348, lpFindFileData=0x18b1fd28 | out: lpFindFileData=0x18b1fd28) returned 1 [0093.844] lstrcpyW (in: lpString1=0x10e3e120, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*" [0093.844] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*") returned 63 [0093.844] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\How To Restore Files.hta" [0093.844] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\how to restore files.hta")) returned 0xffffffff [0093.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.595] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x18b1fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18b1fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.596] CloseHandle (hObject=0x4b4) returned 1 [0094.597] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.912] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="LICLUA.EXE") returned -1 [0094.912] lstrlenW (lpString="LICLUA.EXE") returned 10 [0094.912] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*" [0094.912] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\*.*") returned 63 [0094.912] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\", lpString2="LICLUA.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" [0094.913] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" [0094.913] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE id-Br3n0G72wUb8CejT.LyaS" [0094.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0101.016] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 330 os_tid = 0x9d0 [0091.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x18c5fd28 | out: lpFindFileData=0x18c5fd28) returned 0x2c9eb48 [0093.423] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.423] FindNextFileW (in: hFindFile=0x2c9eb48, lpFindFileData=0x18c5fd28 | out: lpFindFileData=0x18c5fd28) returned 1 [0093.653] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.653] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.653] FindNextFileW (in: hFindFile=0x2c9eb48, lpFindFileData=0x18c5fd28 | out: lpFindFileData=0x18c5fd28) returned 0 [0093.653] FindClose (in: hFindFile=0x2c9eb48 | out: hFindFile=0x2c9eb48) returned 1 Thread: id = 331 os_tid = 0xb0c [0091.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*", lpFindFileData=0x18d9fd28 | out: lpFindFileData=0x18d9fd28) returned 0x2c9e608 [0093.386] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.386] FindNextFileW (in: hFindFile=0x2c9e608, lpFindFileData=0x18d9fd28 | out: lpFindFileData=0x18d9fd28) returned 1 [0093.386] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.387] FindNextFileW (in: hFindFile=0x2c9e608, lpFindFileData=0x18d9fd28 | out: lpFindFileData=0x18d9fd28) returned 1 [0093.842] lstrcpyW (in: lpString1=0x21170910, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*" [0093.842] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*") returned 68 [0093.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\How To Restore Files.hta" [0093.842] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\how to restore files.hta")) returned 0xffffffff [0093.842] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0094.914] WriteFile (in: hFile=0x320, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x18d9fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18d9fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.915] CloseHandle (hObject=0x320) returned 1 [0094.915] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.014] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="OSE.EXE") returned -1 [0101.014] lstrlenW (lpString="OSE.EXE") returned 7 [0101.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*" [0101.014] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\*.*") returned 68 [0101.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\", lpString2="OSE.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" [0101.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" [0101.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE id-Br3n0G72wUb8CejT.LyaS" [0101.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0101.535] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0101.535] CreateFileMappingA (hFile=0x32c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4b4 [0101.536] CryptAcquireContextA (in: phProv=0x18d9fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18d9fce4*=0x1083cc18) returned 1 [0101.536] CryptGenKey (in: hProv=0x1083cc18, Algid=0x6610, dwFlags=0x1, phKey=0x18d9fce0 | out: phKey=0x18d9fce0*=0x210bc7d8) returned 1 [0101.536] CryptExportKey (in: hKey=0x210bc7d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x18d9fbdc, pdwDataLen=0x18d9fcdc | out: pbData=0x18d9fbdc*, pdwDataLen=0x18d9fcdc*=0x2c) returned 1 [0101.536] MapViewOfFile (hFileMappingObject=0x4b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3f460) Thread: id = 332 os_tid = 0xb34 [0091.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*", lpFindFileData=0x18edfd28 | out: lpFindFileData=0x18edfd28) returned 0x2c9e908 [0094.287] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.287] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x18edfd28 | out: lpFindFileData=0x18edfd28) returned 1 [0094.801] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.801] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x18edfd28 | out: lpFindFileData=0x18edfd28) returned 1 [0094.875] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0094.875] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0094.875] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" [0094.875] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0xffffffff [0094.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0098.247] WriteFile (in: hFile=0x4c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x18edfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18edfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0101.005] CloseHandle (hObject=0x4c4) returned 1 [0101.005] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.258] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Bears.htm") returned 1 [0101.258] lstrlenW (lpString="Bears.htm") returned 9 [0101.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.258] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="Bears.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" [0101.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" [0101.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm id-Br3n0G72wUb8CejT.LyaS" [0101.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.htm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm id-br3n0g72wub8cejt.lyas")) returned 0 [0101.259] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x18edfd28 | out: lpFindFileData=0x18edfd28) returned 1 [0101.259] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.259] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" [0101.260] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0x1 [0101.260] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Bears.jpg") returned 1 [0101.260] lstrlenW (lpString="Bears.jpg") returned 9 [0101.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="Bears.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" [0101.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" [0101.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg id-Br3n0G72wUb8CejT.LyaS" [0101.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Bears.jpg id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg id-br3n0g72wub8cejt.lyas")) returned 0 [0101.261] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x18edfd28 | out: lpFindFileData=0x18edfd28) returned 1 [0101.261] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.261] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.261] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" [0101.261] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0x1 [0101.261] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Blue_Gradient.jpg") returned 1 [0101.261] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0101.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.261] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.261] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="Blue_Gradient.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg" [0101.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg" [0101.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg id-Br3n0G72wUb8CejT.LyaS" [0101.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Blue_Gradient.jpg id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg id-br3n0g72wub8cejt.lyas")) returned 0 [0101.262] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x18edfd28 | out: lpFindFileData=0x18edfd28) returned 1 [0101.262] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" [0101.263] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0x1 [0101.263] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Cave_Drawings.gif") returned 1 [0101.263] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0101.263] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.263] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.263] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="Cave_Drawings.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif" [0101.263] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif" [0101.263] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif id-Br3n0G72wUb8CejT.LyaS" [0101.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Cave_Drawings.gif id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif id-br3n0g72wub8cejt.lyas")) returned 0 [0101.264] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x18edfd28 | out: lpFindFileData=0x18edfd28) returned 1 [0101.264] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.264] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" [0101.264] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0x1 [0101.264] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Connectivity.gif") returned 1 [0101.265] lstrlenW (lpString="Connectivity.gif") returned 16 [0101.265] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.265] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.265] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="Connectivity.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif" [0101.265] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif" [0101.265] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif id-Br3n0G72wUb8CejT.LyaS" [0101.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Connectivity.gif id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif id-br3n0g72wub8cejt.lyas")) returned 0 [0101.265] FindNextFileW (in: hFindFile=0x2c9e908, lpFindFileData=0x18edfd28 | out: lpFindFileData=0x18edfd28) returned 1 [0101.265] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" [0101.266] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0x1 [0101.266] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Desktop.ini") returned 1 [0101.266] lstrlenW (lpString="Desktop.ini") returned 11 [0101.266] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*" [0101.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\*.*") returned 65 [0101.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\", lpString2="Desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" [0101.266] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" [0101.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0101.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0101.268] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x670 [0101.269] CreateFileMappingA (hFile=0x670, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0101.269] CryptAcquireContextA (in: phProv=0x18edfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18edfce4*=0x1083d8d8) returned 1 [0101.269] CryptGenKey (in: hProv=0x1083d8d8, Algid=0x6610, dwFlags=0x1, phKey=0x18edfce0 | out: phKey=0x18edfce0*=0x2c9ea08) returned 1 [0101.269] CryptExportKey (in: hKey=0x2c9ea08, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x18edfbdc, pdwDataLen=0x18edfcdc | out: pbData=0x18edfbdc*, pdwDataLen=0x18edfcdc*=0x2c) returned 1 [0101.269] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) Thread: id = 333 os_tid = 0xb1c [0091.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\*.*", lpFindFileData=0x1901fd28 | out: lpFindFileData=0x1901fd28) returned 0x2c9ea48 [0093.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.383] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1901fd28 | out: lpFindFileData=0x1901fd28) returned 1 [0093.383] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.383] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.383] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1901fd28 | out: lpFindFileData=0x1901fd28) returned 1 [0093.383] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0093.383] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0093.383] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0093.861] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\*.*" [0093.861] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\*.*") returned 63 [0093.861] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US" [0093.861] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\TextConv\\en-US\\*.*" [0093.861] GlobalMemoryStatus (in: lpBuffer=0x1901fd08 | out: lpBuffer=0x1901fd08) [0093.861] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2c78250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c8 [0093.862] CloseHandle (hObject=0x5c8) returned 1 [0093.862] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x1901fd28 | out: lpFindFileData=0x1901fd28) returned 0 [0093.862] FindClose (in: hFindFile=0x2c9ea48 | out: hFindFile=0x2c9ea48) returned 1 Thread: id = 334 os_tid = 0x9b0 [0091.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\*.*", lpFindFileData=0x1915fd28 | out: lpFindFileData=0x1915fd28) returned 0x2c9ea88 [0093.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.383] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1915fd28 | out: lpFindFileData=0x1915fd28) returned 1 [0093.383] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.383] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.384] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1915fd28 | out: lpFindFileData=0x1915fd28) returned 1 [0093.384] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0093.384] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0093.384] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0093.860] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\*.*" [0093.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\*.*") returned 62 [0093.860] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US" [0093.860] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\Triedit\\en-US\\*.*" [0093.860] GlobalMemoryStatus (in: lpBuffer=0x1915fd08 | out: lpBuffer=0x1915fd08) [0093.860] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21198988, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x600 [0093.861] CloseHandle (hObject=0x600) returned 1 [0093.861] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x1915fd28 | out: lpFindFileData=0x1915fd28) returned 0 [0093.861] FindClose (in: hFindFile=0x2c9ea88 | out: hFindFile=0x2c9ea88) returned 1 Thread: id = 335 os_tid = 0x990 [0091.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*", lpFindFileData=0x1929fd28 | out: lpFindFileData=0x1929fd28) returned 0x2c9e388 [0093.386] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.386] FindNextFileW (in: hFindFile=0x2c9e388, lpFindFileData=0x1929fd28 | out: lpFindFileData=0x1929fd28) returned 1 [0093.386] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.386] FindNextFileW (in: hFindFile=0x2c9e388, lpFindFileData=0x1929fd28 | out: lpFindFileData=0x1929fd28) returned 1 [0093.843] lstrcpyW (in: lpString1=0x10e36118, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*" [0093.843] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*") returned 57 [0093.843] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\How To Restore Files.hta" [0093.843] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\how to restore files.hta")) returned 0xffffffff [0093.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.592] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1929fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1929fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.593] CloseHandle (hObject=0x4b4) returned 1 [0094.594] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.913] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdia100.dll") returned -1 [0094.913] lstrlenW (lpString="msdia100.dll") returned 12 [0094.913] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*" [0094.913] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\*.*") returned 57 [0094.913] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\", lpString2="msdia100.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" [0094.913] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" [0094.913] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS" [0094.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll id-br3n0g72wub8cejt.lyas")) returned 1 [0096.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5c0 [0096.681] CreateFileMappingA (hFile=0x5c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3ec [0096.681] CryptAcquireContextA (in: phProv=0x1929fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1929fce4*=0x1083d9e8) returned 1 [0096.682] CryptGenKey (in: hProv=0x1083d9e8, Algid=0x6610, dwFlags=0x1, phKey=0x1929fce0 | out: phKey=0x1929fce0*=0x5c90d0) returned 1 [0096.682] CryptExportKey (in: hKey=0x5c90d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1929fbdc, pdwDataLen=0x1929fcdc | out: pbData=0x1929fbdc*, pdwDataLen=0x1929fcdc*=0x2c) returned 1 [0096.682] MapViewOfFile (hFileMappingObject=0x3ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf1b40) returned 0x295b0000 [0099.081] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1929fbdc*, pdwDataLen=0x1929fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1929fbdc*, pdwDataLen=0x1929fcf0*=0x100) returned 1 [0099.081] CryptEncrypt (hKey=0x5c90d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x295b0000, pdwDataLen=0x1929fcdc*=0xf1b40, dwBufLen=0xf1b40) Thread: id = 336 os_tid = 0xb94 [0091.962] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*", lpFindFileData=0x193dfd28 | out: lpFindFileData=0x193dfd28) returned 0x2c9e308 [0093.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.385] FindNextFileW (in: hFindFile=0x2c9e308, lpFindFileData=0x193dfd28 | out: lpFindFileData=0x193dfd28) returned 1 [0093.385] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.385] FindNextFileW (in: hFindFile=0x2c9e308, lpFindFileData=0x193dfd28 | out: lpFindFileData=0x193dfd28) returned 1 [0093.844] lstrcpyW (in: lpString1=0x10e46128, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*" [0093.844] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*") returned 58 [0093.844] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\How To Restore Files.hta" [0093.844] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\how to restore files.hta")) returned 0xffffffff [0093.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.597] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x193dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x193dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.598] CloseHandle (hObject=0x4b4) returned 1 [0094.598] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.911] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="VGX.dll") returned -1 [0094.911] lstrlenW (lpString="VGX.dll") returned 7 [0094.912] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*" [0094.912] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\*.*") returned 58 [0094.912] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\", lpString2="VGX.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" [0094.912] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" [0094.912] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll id-Br3n0G72wUb8CejT.LyaS" [0094.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.080] FindNextFileW (in: hFindFile=0x2c9e308, lpFindFileData=0x193dfd28 | out: lpFindFileData=0x193dfd28) returned 0 [0095.080] FindClose (in: hFindFile=0x2c9e308 | out: hFindFile=0x2c9e308) returned 1 Thread: id = 337 os_tid = 0x99c [0091.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*", lpFindFileData=0x1951fd28 | out: lpFindFileData=0x1951fd28) returned 0x2c9eac8 [0093.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.385] FindNextFileW (in: hFindFile=0x2c9eac8, lpFindFileData=0x1951fd28 | out: lpFindFileData=0x1951fd28) returned 1 [0093.385] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.385] FindNextFileW (in: hFindFile=0x2c9eac8, lpFindFileData=0x1951fd28 | out: lpFindFileData=0x1951fd28) returned 1 [0093.385] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0093.385] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0093.385] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0093.849] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*" [0093.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*") returned 59 [0093.849] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0" [0093.849] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*" [0093.850] GlobalMemoryStatus (in: lpBuffer=0x1951fd08 | out: lpBuffer=0x1951fd08) [0093.850] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21178918, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x600 [0093.850] CloseHandle (hObject=0x600) returned 1 [0093.851] FindNextFileW (in: hFindFile=0x2c9eac8, lpFindFileData=0x1951fd28 | out: lpFindFileData=0x1951fd28) returned 1 [0093.855] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*" [0093.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*") returned 59 [0093.856] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\How To Restore Files.hta" [0093.856] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\how to restore files.hta")) returned 0xffffffff [0093.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x584 [0096.273] WriteFile (in: hFile=0x584, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1951fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1951fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0096.274] CloseHandle (hObject=0x584) returned 1 [0096.274] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0100.755] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vstoee.dll") returned -1 [0100.755] lstrlenW (lpString="vstoee.dll") returned 10 [0100.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*" [0100.755] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*.*") returned 59 [0100.755] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\", lpString2="vstoee.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" [0100.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" [0100.755] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll id-Br3n0G72wUb8CejT.LyaS" [0100.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll id-br3n0g72wub8cejt.lyas")) returned 1 [0100.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 338 os_tid = 0xb98 [0091.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*", lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 0x5c9450 [0094.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.293] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0094.293] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.293] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0094.293] lstrcpyW (in: lpString1=0x3e37380, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0094.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0094.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0094.293] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0xffffffff [0094.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0094.590] WriteFile (in: hFile=0x4ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6c8fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6c8fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.591] CloseHandle (hObject=0x4ec) returned 1 [0094.591] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.917] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="adojavas.inc") returned 1 [0094.920] lstrlenW (lpString="adojavas.inc") returned 12 [0094.920] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0094.920] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0094.920] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="adojavas.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" [0094.920] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" [0094.920] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc id-Br3n0G72wUb8CejT.LyaS" [0094.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc id-br3n0g72wub8cejt.lyas")) returned 0 [0096.348] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0097.222] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.222] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0097.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0097.223] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="adovbs.inc") returned 1 [0097.223] lstrlenW (lpString="adovbs.inc") returned 10 [0097.223] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.223] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="adovbs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" [0097.223] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" [0097.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc id-Br3n0G72wUb8CejT.LyaS" [0097.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc id-br3n0g72wub8cejt.lyas")) returned 0 [0097.223] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0097.223] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0097.223] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0097.223] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0097.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US" [0097.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*" [0097.224] GlobalMemoryStatus (in: lpBuffer=0x6c8fd08 | out: lpBuffer=0x6c8fd08) [0097.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x108d0a48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0097.225] CloseHandle (hObject=0x430) returned 1 [0097.225] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0097.225] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.225] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0097.225] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0097.225] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msader15.dll") returned -1 [0097.225] lstrlenW (lpString="msader15.dll") returned 12 [0097.225] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.225] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msader15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" [0097.225] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" [0097.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll id-Br3n0G72wUb8CejT.LyaS" [0097.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0097.226] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0097.226] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.226] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0097.226] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0097.226] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado15.dll") returned -1 [0097.226] lstrlenW (lpString="msado15.dll") returned 11 [0097.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.226] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" [0097.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" [0097.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll id-Br3n0G72wUb8CejT.LyaS" [0097.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0097.227] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0097.227] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.227] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.227] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0097.227] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0097.227] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado20.tlb") returned -1 [0097.227] lstrlenW (lpString="msado20.tlb") returned 11 [0097.227] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0097.227] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0097.227] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado20.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" [0097.227] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" [0097.227] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb id-Br3n0G72wUb8CejT.LyaS" [0097.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0098.112] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0098.112] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0098.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0098.112] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado21.tlb") returned -1 [0098.112] lstrlenW (lpString="msado21.tlb") returned 11 [0098.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado21.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" [0098.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" [0098.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb id-Br3n0G72wUb8CejT.LyaS" [0098.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0098.215] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0098.215] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.215] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.215] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0098.215] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0098.215] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado25.tlb") returned -1 [0098.215] lstrlenW (lpString="msado25.tlb") returned 11 [0098.215] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.215] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.215] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado25.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" [0098.215] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" [0098.215] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb id-Br3n0G72wUb8CejT.LyaS" [0098.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0098.216] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0098.216] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.216] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0098.216] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0098.216] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado26.tlb") returned -1 [0098.216] lstrlenW (lpString="msado26.tlb") returned 11 [0098.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.217] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado26.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" [0098.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" [0098.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb id-Br3n0G72wUb8CejT.LyaS" [0098.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0098.217] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0098.217] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.217] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0098.218] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0098.218] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado27.tlb") returned -1 [0098.218] lstrlenW (lpString="msado27.tlb") returned 11 [0098.218] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado27.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" [0098.218] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" [0098.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb id-Br3n0G72wUb8CejT.LyaS" [0098.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0098.218] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0098.218] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0098.218] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0098.219] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado28.tlb") returned -1 [0098.219] lstrlenW (lpString="msado28.tlb") returned 11 [0098.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" [0098.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" [0098.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb id-Br3n0G72wUb8CejT.LyaS" [0098.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0098.219] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0098.219] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0098.219] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0098.219] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado60.tlb") returned -1 [0098.219] lstrlenW (lpString="msado60.tlb") returned 11 [0098.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado60.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" [0098.220] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" [0098.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb id-Br3n0G72wUb8CejT.LyaS" [0098.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado60.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msado60.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0098.238] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0098.238] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.238] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.238] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0098.238] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0098.238] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadomd.dll") returned -1 [0098.238] lstrlenW (lpString="msadomd.dll") returned 11 [0098.239] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0098.239] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0098.239] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadomd.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" [0098.239] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" [0098.239] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll id-Br3n0G72wUb8CejT.LyaS" [0098.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.209] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0099.256] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.256] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.256] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0099.256] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0099.257] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadomd28.tlb") returned -1 [0099.257] lstrlenW (lpString="msadomd28.tlb") returned 13 [0099.257] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.257] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadomd28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" [0099.257] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" [0099.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb id-Br3n0G72wUb8CejT.LyaS" [0099.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0099.257] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0099.257] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.257] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0099.257] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0099.257] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msador15.dll") returned -1 [0099.257] lstrlenW (lpString="msador15.dll") returned 12 [0099.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.258] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.258] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msador15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" [0099.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" [0099.258] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll id-Br3n0G72wUb8CejT.LyaS" [0099.258] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.258] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0099.258] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.258] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.258] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0099.258] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0099.258] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msador28.tlb") returned -1 [0099.258] lstrlenW (lpString="msador28.tlb") returned 12 [0099.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.259] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msador28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" [0099.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" [0099.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb id-Br3n0G72wUb8CejT.LyaS" [0099.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msador28.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0099.259] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0099.259] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.259] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0099.260] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0099.260] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadox.dll") returned -1 [0099.260] lstrlenW (lpString="msadox.dll") returned 10 [0099.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadox.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" [0099.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" [0099.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll id-Br3n0G72wUb8CejT.LyaS" [0099.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.260] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0099.260] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.260] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0099.260] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0099.261] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadox28.tlb") returned -1 [0099.261] lstrlenW (lpString="msadox28.tlb") returned 12 [0099.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.261] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.261] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadox28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" [0099.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" [0099.261] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb id-Br3n0G72wUb8CejT.LyaS" [0099.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0099.261] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 1 [0099.261] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.261] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.261] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" [0099.261] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0099.261] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadrh15.dll") returned -1 [0099.261] lstrlenW (lpString="msadrh15.dll") returned 12 [0099.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0099.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0099.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadrh15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" [0099.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" [0099.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll id-Br3n0G72wUb8CejT.LyaS" [0099.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0099.263] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x6c8fd28 | out: lpFindFileData=0x6c8fd28) returned 0 [0099.263] FindClose (in: hFindFile=0x5c9450 | out: hFindFile=0x5c9450) returned 1 Thread: id = 339 os_tid = 0xb9c [0091.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*", lpFindFileData=0x1965fd28 | out: lpFindFileData=0x1965fd28) returned 0x2c9e848 [0093.288] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.288] FindNextFileW (in: hFindFile=0x2c9e848, lpFindFileData=0x1965fd28 | out: lpFindFileData=0x1965fd28) returned 1 [0093.288] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.288] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.288] FindNextFileW (in: hFindFile=0x2c9e848, lpFindFileData=0x1965fd28 | out: lpFindFileData=0x1965fd28) returned 1 [0094.101] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*" [0094.101] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*") returned 58 [0094.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\How To Restore Files.hta" [0094.101] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\esl\\how to restore files.hta")) returned 0xffffffff [0094.101] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\esl\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.601] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1965fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1965fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.605] CloseHandle (hObject=0x4b4) returned 1 [0094.605] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.909] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AiodLite.dll") returned 1 [0094.909] lstrlenW (lpString="AiodLite.dll") returned 12 [0094.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*" [0094.909] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\*.*") returned 58 [0094.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\", lpString2="AiodLite.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll" [0094.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll" [0094.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll id-Br3n0G72wUb8CejT.LyaS" [0094.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\esl\\aiodlite.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\esl\\aiodlite.dll id-br3n0g72wub8cejt.lyas")) returned 1 [0096.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\AiodLite.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\esl\\aiodlite.dll id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x508 [0096.709] CreateFileMappingA (hFile=0x508, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3d4 [0096.710] CryptAcquireContextA (in: phProv=0x1965fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1965fce4*=0x1083da70) returned 1 [0096.710] CryptGenKey (in: hProv=0x1083da70, Algid=0x6610, dwFlags=0x1, phKey=0x1965fce0 | out: phKey=0x1965fce0*=0x5c9190) returned 1 [0096.710] CryptExportKey (in: hKey=0x5c9190, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1965fbdc, pdwDataLen=0x1965fcdc | out: pbData=0x1965fbdc*, pdwDataLen=0x1965fcdc*=0x2c) returned 1 [0096.710] MapViewOfFile (hFileMappingObject=0x3d4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4f1e0) returned 0x1de60000 [0096.941] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1965fbdc*, pdwDataLen=0x1965fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1965fbdc*, pdwDataLen=0x1965fcf0*=0x100) returned 1 [0096.941] CryptEncrypt (hKey=0x5c9190, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1de60000, pdwDataLen=0x1965fcdc*=0x4f1e0, dwBufLen=0x4f1e0) Thread: id = 340 os_tid = 0xbb0 [0091.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*", lpFindFileData=0x1979fd28 | out: lpFindFileData=0x1979fd28) returned 0x10805108 [0091.967] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.967] FindNextFileW (in: hFindFile=0x10805108, lpFindFileData=0x1979fd28 | out: lpFindFileData=0x1979fd28) returned 1 [0091.998] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.998] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.998] FindNextFileW (in: hFindFile=0x10805108, lpFindFileData=0x1979fd28 | out: lpFindFileData=0x1979fd28) returned 1 [0091.998] lstrcpyW (in: lpString1=0x8b40c98, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*" [0091.998] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*") returned 61 [0091.998] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\How To Restore Files.hta" [0091.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\how to restore files.hta")) returned 0xffffffff [0091.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x584 [0096.217] WriteFile (in: hFile=0x584, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1979fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1979fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0096.218] CloseHandle (hObject=0x584) returned 1 [0096.218] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0100.753] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf") returned 1 [0100.753] lstrlenW (lpString="1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf") returned 45 [0100.753] lstrcmpiW (lpString1=".LyaS", lpString2="0.pdf") returned -1 [0100.753] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*" [0100.753] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\*.*") returned 61 [0100.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\", lpString2="1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf" [0100.753] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf" [0100.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf id-Br3n0G72wUb8CejT.LyaS" [0100.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\1494870c-9912-c184-4cc9-b401-a53f4d8de290.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\1494870c-9912-c184-4cc9-b401-a53f4d8de290.pdf id-br3n0g72wub8cejt.lyas")) returned 1 [0100.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\1494870c-9912-c184-4cc9-b401-a53f4d8de290.pdf id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b8 [0101.157] CreateFileMappingA (hFile=0x4b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x468 [0101.157] CryptAcquireContextA (in: phProv=0x1979fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1979fce4*=0x1083d7c8) returned 1 [0101.158] CryptGenKey (in: hProv=0x1083d7c8, Algid=0x6610, dwFlags=0x1, phKey=0x1979fce0 | out: phKey=0x1979fce0*=0x10805908) returned 1 [0101.158] CryptExportKey (in: hKey=0x10805908, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1979fbdc, pdwDataLen=0x1979fcdc | out: pbData=0x1979fbdc*, pdwDataLen=0x1979fcdc*=0x2c) returned 1 [0101.158] MapViewOfFile (hFileMappingObject=0x468, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2d9c0) Thread: id = 341 os_tid = 0xba0 [0091.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*", lpFindFileData=0x198dfd28 | out: lpFindFileData=0x198dfd28) returned 0x10804e48 [0091.967] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.967] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x198dfd28 | out: lpFindFileData=0x198dfd28) returned 1 [0091.968] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.968] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.968] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x198dfd28 | out: lpFindFileData=0x198dfd28) returned 1 [0091.968] lstrcmpW (lpString1=".", lpString2="ActiveX") returned -1 [0091.968] lstrcmpW (lpString1="..", lpString2="ActiveX") returned -1 [0091.968] lstrcmpiW (lpString1="windows", lpString2="ActiveX") returned 1 [0091.968] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*" [0091.968] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*") returned 57 [0091.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\", lpString2="ActiveX" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX" [0091.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0091.968] GlobalMemoryStatus (in: lpBuffer=0x198dfd08 | out: lpBuffer=0x198dfd08) [0091.968] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8b20c28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a0 [0091.969] CloseHandle (hObject=0x4a0) returned 1 [0091.969] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x198dfd28 | out: lpFindFileData=0x198dfd28) returned 0 [0091.969] FindClose (in: hFindFile=0x10804e48 | out: hFindFile=0x10804e48) returned 1 Thread: id = 342 os_tid = 0xbb4 [0091.970] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*", lpFindFileData=0x19a1fd28 | out: lpFindFileData=0x19a1fd28) returned 0x10804988 [0091.970] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.970] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x19a1fd28 | out: lpFindFileData=0x19a1fd28) returned 1 [0091.970] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.970] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x19a1fd28 | out: lpFindFileData=0x19a1fd28) returned 1 [0091.970] lstrcmpW (lpString1=".", lpString2="1.0") returned -1 [0091.970] lstrcmpW (lpString1="..", lpString2="1.0") returned -1 [0091.970] lstrcmpiW (lpString1="windows", lpString2="1.0") returned 1 [0091.970] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*" [0091.970] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*") returned 53 [0091.970] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\", lpString2="1.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0" [0091.970] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0091.970] GlobalMemoryStatus (in: lpBuffer=0x19a1fd08 | out: lpBuffer=0x19a1fd08) [0091.970] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10d75dd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a0 [0091.971] CloseHandle (hObject=0x4a0) returned 1 [0091.971] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x19a1fd28 | out: lpFindFileData=0x19a1fd28) returned 0 [0091.971] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 343 os_tid = 0xbb8 [0091.971] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*", lpFindFileData=0x19b5fd28 | out: lpFindFileData=0x19b5fd28) returned 0x2c9e548 [0093.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.289] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0x19b5fd28 | out: lpFindFileData=0x19b5fd28) returned 1 [0093.289] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.289] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0x19b5fd28 | out: lpFindFileData=0x19b5fd28) returned 1 [0093.289] lstrcmpW (lpString1=".", lpString2="en_US") returned -1 [0093.289] lstrcmpW (lpString1="..", lpString2="en_US") returned -1 [0093.289] lstrcmpiW (lpString1="windows", lpString2="en_US") returned 1 [0094.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0094.062] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0094.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="en_US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US" [0094.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*" [0094.062] GlobalMemoryStatus (in: lpBuffer=0x19b5fd08 | out: lpBuffer=0x19b5fd08) [0094.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5b988e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0094.072] CloseHandle (hObject=0x4d0) returned 1 [0094.072] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0x19b5fd28 | out: lpFindFileData=0x19b5fd28) returned 0 [0094.072] FindClose (in: hFindFile=0x2c9e548 | out: hFindFile=0x2c9e548) returned 1 Thread: id = 344 os_tid = 0xbbc [0091.972] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\*.*", lpFindFileData=0x19c9fd28 | out: lpFindFileData=0x19c9fd28) returned 0x2c9eb88 [0093.424] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.424] FindNextFileW (in: hFindFile=0x2c9eb88, lpFindFileData=0x19c9fd28 | out: lpFindFileData=0x19c9fd28) returned 1 [0093.650] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.650] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.650] FindNextFileW (in: hFindFile=0x2c9eb88, lpFindFileData=0x19c9fd28 | out: lpFindFileData=0x19c9fd28) returned 1 [0093.650] lstrcmpW (lpString1=".", lpString2="DC") returned -1 [0093.650] lstrcmpW (lpString1="..", lpString2="DC") returned -1 [0093.650] lstrcmpiW (lpString1="windows", lpString2="DC") returned 1 [0093.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\*.*" [0093.650] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\*.*") returned 56 [0093.650] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\", lpString2="DC" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC" [0093.650] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\*.*" [0093.650] GlobalMemoryStatus (in: lpBuffer=0x19c9fd08 | out: lpBuffer=0x19c9fd08) [0093.650] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e4e180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x63c [0093.651] CloseHandle (hObject=0x63c) returned 1 [0093.651] FindNextFileW (in: hFindFile=0x2c9eb88, lpFindFileData=0x19c9fd28 | out: lpFindFileData=0x19c9fd28) returned 0 [0093.651] FindClose (in: hFindFile=0x2c9eb88 | out: hFindFile=0x2c9eb88) returned 1 Thread: id = 345 os_tid = 0xbc0 [0091.972] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*", lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 0x10804f88 [0091.973] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.973] FindNextFileW (in: hFindFile=0x10804f88, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0091.973] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0091.973] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.973] FindNextFileW (in: hFindFile=0x10804f88, lpFindFileData=0x30bfd28 | out: lpFindFileData=0x30bfd28) returned 1 [0091.973] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0091.973] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0091.973] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\How To Restore Files.hta" [0091.973] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\how to restore files.hta")) returned 0xffffffff [0091.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0093.290] WriteFile (in: hFile=0x5a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x30bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x30bfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0093.291] CloseHandle (hObject=0x5a0) returned 1 [0093.291] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.061] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="jaureg.exe") returned -1 [0094.061] lstrlenW (lpString="jaureg.exe") returned 10 [0094.061] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0094.061] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0094.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="jaureg.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" [0094.061] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" [0094.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe id-Br3n0G72wUb8CejT.LyaS" [0094.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe id-br3n0g72wub8cejt.lyas")) returned 1 [0096.102] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0096.103] CreateFileMappingA (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x590 [0096.103] CryptAcquireContextA (in: phProv=0x30bfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x30bfce4*=0x1083d278) returned 1 [0096.104] CryptGenKey (in: hProv=0x1083d278, Algid=0x6610, dwFlags=0x1, phKey=0x30bfce0 | out: phKey=0x30bfce0*=0x5c8c90) returned 1 [0096.104] CryptExportKey (in: hKey=0x5c8c90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x30bfbdc, pdwDataLen=0x30bfcdc | out: pbData=0x30bfbdc*, pdwDataLen=0x30bfcdc*=0x2c) returned 1 [0096.104] MapViewOfFile (hFileMappingObject=0x590, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x68a00) returned 0x1e1f0000 [0096.491] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bfbdc*, pdwDataLen=0x30bfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x30bfbdc*, pdwDataLen=0x30bfcf0*=0x100) returned 1 [0096.491] CryptEncrypt (hKey=0x5c8c90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1e1f0000, pdwDataLen=0x30bfcdc*=0x68a00, dwBufLen=0x68a00) Thread: id = 346 os_tid = 0xbc4 [0091.974] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*", lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 0x2c9ebc8 [0093.649] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.649] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 1 [0093.649] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.649] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.649] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 1 [0093.649] lstrcpyW (in: lpString1=0x675f90, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*" [0093.649] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*") returned 64 [0093.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\How To Restore Files.hta" [0093.649] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\how to restore files.hta")) returned 0xffffffff [0093.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0094.622] WriteFile (in: hFile=0x378, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x347fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x347fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.623] CloseHandle (hObject=0x378) returned 1 [0094.624] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.888] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="dao360.dll") returned 1 [0094.888] lstrlenW (lpString="dao360.dll") returned 10 [0094.888] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*" [0094.888] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*.*") returned 64 [0094.888] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\", lpString2="dao360.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll" [0094.888] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll" [0094.888] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll id-Br3n0G72wUb8CejT.LyaS" [0094.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\dao360.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\dao360.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.970] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x347fd28 | out: lpFindFileData=0x347fd28) returned 0 [0094.970] FindClose (in: hFindFile=0x2c9ebc8 | out: hFindFile=0x2c9ebc8) returned 1 Thread: id = 347 os_tid = 0xbc8 [0091.974] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*", lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 0x2c9e888 [0094.273] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.273] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0094.273] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.273] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.273] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0094.273] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0094.273] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0094.273] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0094.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.273] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\en-US" [0094.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\en-US\\*.*" [0094.273] GlobalMemoryStatus (in: lpBuffer=0x19ddfd08 | out: lpBuffer=0x19ddfd08) [0094.274] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d58f70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b0 [0094.643] CloseHandle (hObject=0x5b0) returned 1 [0094.643] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0094.643] lstrcmpW (lpString1=".", lpString2="HWRCustomization") returned -1 [0094.644] lstrcmpW (lpString1="..", lpString2="HWRCustomization") returned -1 [0094.644] lstrcmpiW (lpString1="windows", lpString2="HWRCustomization") returned 1 [0094.880] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.880] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.880] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="HWRCustomization" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\HWRCustomization") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\HWRCustomization" [0094.880] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\HWRCustomization", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\HWRCustomization\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\HWRCustomization\\*.*" [0094.880] GlobalMemoryStatus (in: lpBuffer=0x19ddfd08 | out: lpBuffer=0x19ddfd08) [0094.880] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21451550, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b0 [0094.881] CloseHandle (hObject=0x5b0) returned 1 [0094.881] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0094.885] lstrcpyW (in: lpString1=0x214695b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.885] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0094.885] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0xffffffff [0094.885] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0094.963] WriteFile (in: hFile=0x468, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x19ddfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x19ddfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.964] CloseHandle (hObject=0x468) returned 1 [0094.964] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.965] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="InkDiv.dll") returned -1 [0094.965] lstrlenW (lpString="InkDiv.dll") returned 10 [0094.965] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.965] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.965] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="InkDiv.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll" [0094.965] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll" [0094.965] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll id-Br3n0G72wUb8CejT.LyaS" [0094.965] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkdiv.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkDiv.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkdiv.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.966] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0094.966] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.966] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.966] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0094.966] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0094.967] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="InkObj.dll") returned -1 [0094.967] lstrlenW (lpString="InkObj.dll") returned 10 [0094.967] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.967] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.967] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="InkObj.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll" [0094.967] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll" [0094.967] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll id-Br3n0G72wUb8CejT.LyaS" [0094.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\InkObj.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkobj.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.968] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0094.968] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.968] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0094.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0094.968] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="journal.dll") returned -1 [0094.968] lstrlenW (lpString="journal.dll") returned 11 [0094.968] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.968] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="journal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll" [0094.968] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll" [0094.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll id-Br3n0G72wUb8CejT.LyaS" [0094.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\journal.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\journal.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\journal.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0094.969] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0094.969] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.969] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.969] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0094.969] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0094.969] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="micaut.dll") returned -1 [0094.969] lstrlenW (lpString="micaut.dll") returned 10 [0094.969] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0094.969] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0094.969] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="micaut.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll" [0094.969] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll" [0094.969] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll id-Br3n0G72wUb8CejT.LyaS" [0094.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\micaut.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\micaut.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.004] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.004] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.004] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.004] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.004] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Microsoft.Ink.dll") returned -1 [0095.005] lstrlenW (lpString="Microsoft.Ink.dll") returned 17 [0095.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.005] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll" [0095.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll" [0095.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll id-Br3n0G72wUb8CejT.LyaS" [0095.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\Microsoft.Ink.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\microsoft.ink.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.005] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.005] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.005] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.005] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mraut.dll") returned -1 [0095.005] lstrlenW (lpString="mraut.dll") returned 9 [0095.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.006] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="mraut.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll" [0095.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll" [0095.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll id-Br3n0G72wUb8CejT.LyaS" [0095.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mraut.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mraut.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.022] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.022] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.022] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.022] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.022] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.023] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mshwgst.dll") returned -1 [0095.023] lstrlenW (lpString="mshwgst.dll") returned 11 [0095.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="mshwgst.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll" [0095.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll" [0095.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll id-Br3n0G72wUb8CejT.LyaS" [0095.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwgst.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwgst.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwgst.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.025] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.025] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.026] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.026] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="mshwLatin.dll") returned -1 [0095.026] lstrlenW (lpString="mshwLatin.dll") returned 13 [0095.026] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.026] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="mshwLatin.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll" [0095.026] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll" [0095.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll id-Br3n0G72wUb8CejT.LyaS" [0095.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwlatin.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\mshwLatin.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwlatin.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.027] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.027] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.027] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.027] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.027] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="penchs.dll") returned -1 [0095.027] lstrlenW (lpString="penchs.dll") returned 10 [0095.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.027] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="penchs.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll" [0095.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll" [0095.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll id-Br3n0G72wUb8CejT.LyaS" [0095.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penchs.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penchs.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penchs.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.027] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.027] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.027] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.027] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.028] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="pencht.dll") returned -1 [0095.028] lstrlenW (lpString="pencht.dll") returned 10 [0095.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.028] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="pencht.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll" [0095.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll" [0095.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll id-Br3n0G72wUb8CejT.LyaS" [0095.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pencht.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pencht.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pencht.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.057] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.057] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.057] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.057] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.057] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="penjpn.dll") returned -1 [0095.057] lstrlenW (lpString="penjpn.dll") returned 10 [0095.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.057] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="penjpn.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll" [0095.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll" [0095.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll id-Br3n0G72wUb8CejT.LyaS" [0095.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penjpn.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penjpn.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penjpn.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.058] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.058] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.058] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.058] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.065] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="penkor.dll") returned -1 [0095.065] lstrlenW (lpString="penkor.dll") returned 10 [0095.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.065] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="penkor.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll" [0095.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll" [0095.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll id-Br3n0G72wUb8CejT.LyaS" [0095.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penkor.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penkor.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penkor.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.065] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.065] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.065] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.065] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.065] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="penusa.dll") returned -1 [0095.066] lstrlenW (lpString="penusa.dll") returned 10 [0095.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.066] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="penusa.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll" [0095.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll" [0095.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll id-Br3n0G72wUb8CejT.LyaS" [0095.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penusa.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\penusa.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penusa.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.066] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.066] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.066] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.066] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.066] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="pipanel.dll") returned -1 [0095.066] lstrlenW (lpString="pipanel.dll") returned 11 [0095.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.066] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="pipanel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll" [0095.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll" [0095.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll id-Br3n0G72wUb8CejT.LyaS" [0095.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.067] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.067] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.067] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.067] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.067] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="pipanel.exe") returned -1 [0095.067] lstrlenW (lpString="pipanel.exe") returned 11 [0095.067] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.067] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="pipanel.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe" [0095.067] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe" [0095.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe id-Br3n0G72wUb8CejT.LyaS" [0095.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipanel.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0095.068] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.068] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.068] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.068] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.068] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="pipres.dll") returned -1 [0095.068] lstrlenW (lpString="pipres.dll") returned 10 [0095.068] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.068] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="pipres.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll" [0095.068] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll" [0095.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll id-Br3n0G72wUb8CejT.LyaS" [0095.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipres.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\pipres.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipres.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0095.069] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0095.069] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.069] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0095.069] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0095.069] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="rtscom.dll") returned -1 [0095.069] lstrlenW (lpString="rtscom.dll") returned 10 [0095.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0095.069] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0095.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="rtscom.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll" [0095.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll" [0095.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll id-Br3n0G72wUb8CejT.LyaS" [0095.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\rtscom.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\rtscom.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\rtscom.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0096.768] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0096.980] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.980] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.980] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0096.980] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0096.984] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="skchobj.dll") returned -1 [0096.984] lstrlenW (lpString="skchobj.dll") returned 11 [0096.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.984] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.984] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="skchobj.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll" [0096.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll" [0096.984] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll id-Br3n0G72wUb8CejT.LyaS" [0096.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchobj.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchobj.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchobj.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0096.985] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0096.985] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.985] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.985] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0096.985] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0096.985] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="skchui.dll") returned -1 [0096.985] lstrlenW (lpString="skchui.dll") returned 10 [0096.985] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.985] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.985] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="skchui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll" [0096.985] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll" [0096.985] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll id-Br3n0G72wUb8CejT.LyaS" [0096.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\skchui.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchui.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0096.986] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0096.986] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.986] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.986] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0096.986] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0096.986] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="TabTip32.exe") returned -1 [0096.986] lstrlenW (lpString="TabTip32.exe") returned 12 [0096.986] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.986] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.986] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="TabTip32.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe" [0096.986] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe" [0096.987] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe id-Br3n0G72wUb8CejT.LyaS" [0096.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tabtip32.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\TabTip32.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tabtip32.exe id-br3n0g72wub8cejt.lyas")) returned 0 [0096.987] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0096.987] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.987] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.987] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0096.987] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0096.987] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="tiptsf.dll") returned -1 [0096.987] lstrlenW (lpString="tiptsf.dll") returned 10 [0096.987] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.987] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.988] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="tiptsf.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll" [0096.988] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll" [0096.988] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll id-Br3n0G72wUb8CejT.LyaS" [0096.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tiptsf.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tiptsf.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tiptsf.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0096.988] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 1 [0096.988] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.989] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.989] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" [0096.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\how to restore files.hta")) returned 0x1 [0096.989] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="tpcps.dll") returned -1 [0096.989] lstrlenW (lpString="tpcps.dll") returned 9 [0096.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*" [0096.989] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\*.*") returned 64 [0096.989] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\", lpString2="tpcps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll" [0096.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll" [0096.989] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll id-Br3n0G72wUb8CejT.LyaS" [0096.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tpcps.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\tpcps.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tpcps.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0096.990] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x19ddfd28 | out: lpFindFileData=0x19ddfd28) returned 0 [0096.990] FindClose (in: hFindFile=0x2c9e888 | out: hFindFile=0x2c9e888) returned 1 Thread: id = 348 os_tid = 0xbcc [0091.975] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\*.*", lpFindFileData=0x19f1fd28 | out: lpFindFileData=0x19f1fd28) returned 0x2c9e688 [0093.821] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.821] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x19f1fd28 | out: lpFindFileData=0x19f1fd28) returned 1 [0093.821] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.822] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.822] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x19f1fd28 | out: lpFindFileData=0x19f1fd28) returned 1 [0093.822] lstrcmpW (lpString1=".", lpString2="PublicAssemblies") returned -1 [0093.822] lstrcmpW (lpString1="..", lpString2="PublicAssemblies") returned -1 [0093.822] lstrcmpiW (lpString1="windows", lpString2="PublicAssemblies") returned 1 [0093.826] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\*.*" [0093.826] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\*.*") returned 66 [0093.826] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\", lpString2="PublicAssemblies" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\PublicAssemblies") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\PublicAssemblies" [0093.826] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\PublicAssemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\PublicAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\PublicAssemblies\\*.*" [0093.826] GlobalMemoryStatus (in: lpBuffer=0x19f1fd08 | out: lpBuffer=0x19f1fd08) [0093.826] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21130830, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f0 [0093.827] CloseHandle (hObject=0x4f0) returned 1 [0093.827] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x19f1fd28 | out: lpFindFileData=0x19f1fd28) returned 0 [0093.827] FindClose (in: hFindFile=0x2c9e688 | out: hFindFile=0x2c9e688) returned 1 Thread: id = 349 os_tid = 0xbd0 [0091.976] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*", lpFindFileData=0x1a05fd28 | out: lpFindFileData=0x1a05fd28) returned 0x2c9e688 [0093.828] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.828] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x1a05fd28 | out: lpFindFileData=0x1a05fd28) returned 1 [0093.828] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.828] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.828] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x1a05fd28 | out: lpFindFileData=0x1a05fd28) returned 1 [0093.828] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0093.828] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0093.828] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0093.828] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*" [0093.828] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned 67 [0093.828] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\en-US" [0093.828] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*" [0093.828] GlobalMemoryStatus (in: lpBuffer=0x1a05fd08 | out: lpBuffer=0x1a05fd08) [0093.828] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10dedfe0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x608 [0093.829] CloseHandle (hObject=0x608) returned 1 [0093.829] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x1a05fd28 | out: lpFindFileData=0x1a05fd28) returned 1 [0093.832] lstrcpyW (in: lpString1=0x21148898, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*" [0093.832] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned 67 [0093.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\How To Restore Files.hta" [0093.832] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\how to restore files.hta")) returned 0xffffffff [0093.832] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0094.916] WriteFile (in: hFile=0x4ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1a05fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a05fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.917] CloseHandle (hObject=0x4ec) returned 1 [0094.917] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.013] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msinfo32.exe") returned -1 [0101.013] lstrlenW (lpString="msinfo32.exe") returned 12 [0101.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*" [0101.013] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned 67 [0101.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\", lpString2="msinfo32.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" [0101.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" [0101.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe id-Br3n0G72wUb8CejT.LyaS" [0101.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\msinfo32.exe id-br3n0g72wub8cejt.lyas")) Thread: id = 350 os_tid = 0xbd4 [0091.976] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*", lpFindFileData=0x1a19fd28 | out: lpFindFileData=0x1a19fd28) returned 0x2c9e448 [0093.397] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.397] FindNextFileW (in: hFindFile=0x2c9e448, lpFindFileData=0x1a19fd28 | out: lpFindFileData=0x1a19fd28) returned 1 [0093.397] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.397] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.397] FindNextFileW (in: hFindFile=0x2c9e448, lpFindFileData=0x1a19fd28 | out: lpFindFileData=0x1a19fd28) returned 1 [0093.836] lstrcpyW (in: lpString1=0x211508a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0093.836] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 71 [0093.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta" [0093.836] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0xffffffff [0093.836] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x584 [0096.209] WriteFile (in: hFile=0x584, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1a19fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a19fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0096.210] CloseHandle (hObject=0x584) returned 1 [0096.211] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0100.751] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Bears.htm") returned 1 [0100.751] lstrlenW (lpString="Bears.htm") returned 9 [0100.751] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0100.751] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 71 [0100.751] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Bears.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" [0100.751] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" [0100.751] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm id-Br3n0G72wUb8CejT.LyaS" [0100.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.htm id-br3n0g72wub8cejt.lyas")) returned 0 [0100.771] FindNextFileW (in: hFindFile=0x2c9e448, lpFindFileData=0x1a19fd28 | out: lpFindFileData=0x1a19fd28) returned 1 [0100.771] lstrcpyW (in: lpString1=0x3e24360, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0100.771] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 71 [0100.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta" [0100.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0x1 [0100.771] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Bears.jpg") returned 1 [0100.771] lstrlenW (lpString="Bears.jpg") returned 9 [0100.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0100.771] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 71 [0100.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Bears.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" [0100.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" [0100.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg id-Br3n0G72wUb8CejT.LyaS" [0100.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.jpg id-br3n0g72wub8cejt.lyas")) returned 0 [0100.799] FindNextFileW (in: hFindFile=0x2c9e448, lpFindFileData=0x1a19fd28 | out: lpFindFileData=0x1a19fd28) returned 1 [0100.799] lstrcpyW (in: lpString1=0x211508a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0100.799] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 71 [0100.799] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta" [0100.799] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\how to restore files.hta")) returned 0x1 [0100.799] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Desktop.ini") returned 1 [0100.799] lstrlenW (lpString="Desktop.ini") returned 11 [0100.799] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0100.799] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 71 [0100.799] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" [0100.799] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" [0100.800] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS" [0100.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini id-br3n0g72wub8cejt.lyas")) returned 1 [0101.136] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0101.136] CreateFileMappingA (hFile=0x5a4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x468 [0101.137] CryptAcquireContextA (in: phProv=0x1a19fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1a19fce4*=0x1083ce38) returned 1 [0101.137] CryptGenKey (in: hProv=0x1083ce38, Algid=0x6610, dwFlags=0x1, phKey=0x1a19fce0 | out: phKey=0x1a19fce0*=0x108052c8) returned 1 [0101.137] CryptExportKey (in: hKey=0x108052c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1a19fbdc, pdwDataLen=0x1a19fcdc | out: pbData=0x1a19fbdc*, pdwDataLen=0x1a19fcdc*=0x2c) returned 1 [0101.137] MapViewOfFile (hFileMappingObject=0x468, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x3140000 [0101.145] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1a19fbdc*, pdwDataLen=0x1a19fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1a19fbdc*, pdwDataLen=0x1a19fcf0*=0x100) returned 1 [0101.146] CryptEncrypt (in: hKey=0x108052c8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3140000*, pdwDataLen=0x1a19fcdc*=0x280, dwBufLen=0x280 | out: pbData=0x3140000*, pdwDataLen=0x1a19fcdc*=0x280) returned 1 [0101.146] UnmapViewOfFile (lpBaseAddress=0x3140000) returned 1 [0101.146] CloseHandle (hObject=0x468) returned 1 [0101.146] CryptDestroyKey (hKey=0x108052c8) returned 1 [0101.146] CryptReleaseContext (hProv=0x1083ce38, dwFlags=0x0) returned 1 [0101.146] SetFilePointerEx (in: hFile=0x5a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.146] WriteFile (hFile=0x5a4, lpBuffer=0x1a19fbdc, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1a19fcf0, lpOverlapped=0x0) Thread: id = 351 os_tid = 0xbd8 [0091.977] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\*.*", lpFindFileData=0x1a2dfd28 | out: lpFindFileData=0x1a2dfd28) returned 0x2c9e408 [0093.396] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.396] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1a2dfd28 | out: lpFindFileData=0x1a2dfd28) returned 1 [0093.396] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.396] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.396] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1a2dfd28 | out: lpFindFileData=0x1a2dfd28) returned 1 [0093.396] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0093.396] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0093.396] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0093.841] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0093.841] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 69 [0093.841] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US" [0093.841] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*.*" [0093.841] GlobalMemoryStatus (in: lpBuffer=0x1a2dfd08 | out: lpBuffer=0x1a2dfd08) [0093.841] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x211588a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x608 [0093.841] CloseHandle (hObject=0x608) returned 1 [0093.842] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x1a2dfd28 | out: lpFindFileData=0x1a2dfd28) returned 0 [0093.842] FindClose (in: hFindFile=0x2c9e408 | out: hFindFile=0x2c9e408) returned 1 Thread: id = 352 os_tid = 0xbdc [0091.977] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\*.*", lpFindFileData=0x1a41fd28 | out: lpFindFileData=0x1a41fd28) returned 0x2c9ebc8 [0093.424] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.424] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x1a41fd28 | out: lpFindFileData=0x1a41fd28) returned 1 [0093.647] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.647] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.647] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x1a41fd28 | out: lpFindFileData=0x1a41fd28) returned 1 [0093.647] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0093.647] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0093.647] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0093.647] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\*.*" [0093.647] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\*.*") returned 68 [0093.648] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\en-US" [0093.648] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*.*" [0093.648] GlobalMemoryStatus (in: lpBuffer=0x1a41fd08 | out: lpBuffer=0x1a41fd08) [0093.648] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10eae320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x640 [0093.648] CloseHandle (hObject=0x640) returned 1 [0093.648] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x1a41fd28 | out: lpFindFileData=0x1a41fd28) returned 0 [0093.648] FindClose (in: hFindFile=0x2c9ebc8 | out: hFindFile=0x2c9ebc8) returned 1 Thread: id = 353 os_tid = 0xbe0 [0091.978] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*", lpFindFileData=0x1a55fd28 | out: lpFindFileData=0x1a55fd28) returned 0x2c9e648 [0093.397] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.397] FindNextFileW (in: hFindFile=0x2c9e648, lpFindFileData=0x1a55fd28 | out: lpFindFileData=0x1a55fd28) returned 1 [0093.397] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.397] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.397] FindNextFileW (in: hFindFile=0x2c9e648, lpFindFileData=0x1a55fd28 | out: lpFindFileData=0x1a55fd28) returned 1 [0093.398] lstrcmpW (lpString1=".", lpString2="amd64") returned -1 [0093.398] lstrcmpW (lpString1="..", lpString2="amd64") returned -1 [0093.398] lstrcmpiW (lpString1="windows", lpString2="amd64") returned 1 [0093.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*" [0093.815] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*") returned 63 [0093.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\", lpString2="amd64" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\amd64") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\amd64" [0093.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\amd64\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\amd64\\*.*" [0093.815] GlobalMemoryStatus (in: lpBuffer=0x1a55fd08 | out: lpBuffer=0x1a55fd08) [0093.815] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5cf0e30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f0 [0093.816] CloseHandle (hObject=0x4f0) returned 1 [0093.816] FindNextFileW (in: hFindFile=0x2c9e648, lpFindFileData=0x1a55fd28 | out: lpFindFileData=0x1a55fd28) returned 1 [0093.816] lstrcpyW (in: lpString1=0x21120820, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*" [0093.816] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*") returned 63 [0093.816] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\How To Restore Files.hta" [0093.816] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\how to restore files.hta")) returned 0xffffffff [0093.817] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.617] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1a55fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a55fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.618] CloseHandle (hObject=0x4b4) returned 1 [0094.618] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.891] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdia100.dll") returned -1 [0094.891] lstrlenW (lpString="msdia100.dll") returned 12 [0094.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*" [0094.891] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\*.*") returned 63 [0094.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\", lpString2="msdia100.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" [0094.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" [0094.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS" [0094.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll id-br3n0g72wub8cejt.lyas")) returned 1 [0094.991] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VC\\msdia100.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x638 [0094.992] CreateFileMappingA (hFile=0x638, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4ec [0094.992] CryptAcquireContextA (in: phProv=0x1a55fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1a55fce4*=0x1083d498) returned 1 [0094.992] CryptGenKey (in: hProv=0x1083d498, Algid=0x6610, dwFlags=0x1, phKey=0x1a55fce0 | out: phKey=0x1a55fce0*=0x5c8ed0) returned 1 [0094.992] CryptExportKey (in: hKey=0x5c8ed0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1a55fbdc, pdwDataLen=0x1a55fcdc | out: pbData=0x1a55fbdc*, pdwDataLen=0x1a55fcdc*=0x2c) returned 1 [0094.993] MapViewOfFile (hFileMappingObject=0x4ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc3340) returned 0x281f0000 [0095.024] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1a55fbdc*, pdwDataLen=0x1a55fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1a55fbdc*, pdwDataLen=0x1a55fcf0*=0x100) returned 1 [0095.024] CryptEncrypt (hKey=0x5c8ed0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x281f0000, pdwDataLen=0x1a55fcdc*=0xc3340, dwBufLen=0xc3340) Thread: id = 354 os_tid = 0xbe4 [0091.978] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*", lpFindFileData=0x1a69fd28 | out: lpFindFileData=0x1a69fd28) returned 0x2c9e488 [0093.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.817] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x1a69fd28 | out: lpFindFileData=0x1a69fd28) returned 1 [0093.817] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.817] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x1a69fd28 | out: lpFindFileData=0x1a69fd28) returned 1 [0093.821] lstrcpyW (in: lpString1=0x21128828, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*" [0093.821] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*") returned 64 [0093.821] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\How To Restore Files.hta" [0093.821] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\how to restore files.hta")) returned 0xffffffff [0093.821] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.599] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1a69fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a69fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.600] CloseHandle (hObject=0x4b4) returned 1 [0094.600] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.910] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="VGX.dll") returned -1 [0094.910] lstrlenW (lpString="VGX.dll") returned 7 [0094.910] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*" [0094.910] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\*.*") returned 64 [0094.910] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\", lpString2="VGX.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" [0094.911] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" [0094.911] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll id-Br3n0G72wUb8CejT.LyaS" [0094.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\vgx.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VGX\\VGX.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\vgx.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0096.318] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x1a69fd28 | out: lpFindFileData=0x1a69fd28) returned 0 [0096.318] FindClose (in: hFindFile=0x2c9e488 | out: hFindFile=0x2c9e488) returned 1 Thread: id = 355 os_tid = 0xbe8 [0091.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*", lpFindFileData=0x1a7dfd28 | out: lpFindFileData=0x1a7dfd28) returned 0x5c8cd0 [0094.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.295] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x1a7dfd28 | out: lpFindFileData=0x1a7dfd28) returned 1 [0094.295] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.295] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x1a7dfd28 | out: lpFindFileData=0x1a7dfd28) returned 1 [0094.295] lstrcmpW (lpString1=".", lpString2="en-us.16") returned -1 [0094.295] lstrcmpW (lpString1="..", lpString2="en-us.16") returned -1 [0094.295] lstrcmpiW (lpString1="windows", lpString2="en-us.16") returned 1 [0095.978] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*" [0095.978] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*") returned 80 [0095.978] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\", lpString2="en-us.16" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\en-us.16") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\en-us.16" [0095.978] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\en-us.16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\en-us.16\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\en-us.16\\*.*" [0095.978] GlobalMemoryStatus (in: lpBuffer=0x1a7dfd08 | out: lpBuffer=0x1a7dfd08) [0095.978] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21421480, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0095.979] CloseHandle (hObject=0x3dc) returned 1 [0095.979] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x1a7dfd28 | out: lpFindFileData=0x1a7dfd28) returned 1 [0095.979] lstrcmpW (lpString1=".", lpString2="x-none.16") returned -1 [0095.979] lstrcmpW (lpString1="..", lpString2="x-none.16") returned -1 [0095.979] lstrcmpiW (lpString1="windows", lpString2="x-none.16") returned -1 [0100.749] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*" [0100.749] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*") returned 80 [0100.749] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\", lpString2="x-none.16" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\x-none.16") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\x-none.16" [0100.749] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\x-none.16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\x-none.16\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\x-none.16\\*.*" [0100.749] GlobalMemoryStatus (in: lpBuffer=0x1a7dfd08 | out: lpBuffer=0x1a7dfd08) [0100.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x348 [0100.750] CloseHandle (hObject=0x348) returned 1 [0100.750] FindNextFileW (in: hFindFile=0x5c8cd0, lpFindFileData=0x1a7dfd28 | out: lpFindFileData=0x1a7dfd28) returned 0 [0101.069] FindClose (in: hFindFile=0x5c8cd0 | out: hFindFile=0x5c8cd0) returned 1 Thread: id = 356 os_tid = 0xbec [0091.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*", lpFindFileData=0x1a91fd28 | out: lpFindFileData=0x1a91fd28) returned 0x2c9ec08 [0093.424] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.424] FindNextFileW (in: hFindFile=0x2c9ec08, lpFindFileData=0x1a91fd28 | out: lpFindFileData=0x1a91fd28) returned 1 [0093.636] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.636] FindNextFileW (in: hFindFile=0x2c9ec08, lpFindFileData=0x1a91fd28 | out: lpFindFileData=0x1a91fd28) returned 1 [0093.636] lstrcmpW (lpString1=".", lpString2="en-us.16") returned -1 [0093.636] lstrcmpW (lpString1="..", lpString2="en-us.16") returned -1 [0093.636] lstrcmpiW (lpString1="windows", lpString2="en-us.16") returned 1 [0093.637] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*" [0093.637] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*") returned 80 [0093.637] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\", lpString2="en-us.16" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\en-us.16") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\en-us.16" [0093.637] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\en-us.16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\en-us.16\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\en-us.16\\*.*" [0093.637] GlobalMemoryStatus (in: lpBuffer=0x1a91fd08 | out: lpBuffer=0x1a91fd08) [0093.637] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5be0a18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0093.638] CloseHandle (hObject=0x308) returned 1 [0093.638] FindNextFileW (in: hFindFile=0x2c9ec08, lpFindFileData=0x1a91fd28 | out: lpFindFileData=0x1a91fd28) returned 1 [0093.638] lstrcmpW (lpString1=".", lpString2="x-none.16") returned -1 [0093.638] lstrcmpW (lpString1="..", lpString2="x-none.16") returned -1 [0093.638] lstrcmpiW (lpString1="windows", lpString2="x-none.16") returned -1 [0093.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*" [0093.642] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*") returned 80 [0093.642] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\", lpString2="x-none.16" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\x-none.16") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\x-none.16" [0093.642] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\x-none.16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\x-none.16\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\x-none.16\\*.*" [0093.642] GlobalMemoryStatus (in: lpBuffer=0x1a91fd08 | out: lpBuffer=0x1a91fd08) [0093.642] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20e70460, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0093.643] CloseHandle (hObject=0x308) returned 1 [0093.643] FindNextFileW (in: hFindFile=0x2c9ec08, lpFindFileData=0x1a91fd28 | out: lpFindFileData=0x1a91fd28) returned 0 [0093.643] FindClose (in: hFindFile=0x2c9ec08 | out: hFindFile=0x2c9ec08) returned 1 Thread: id = 357 os_tid = 0xbf0 [0091.980] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*", lpFindFileData=0x1aa5fd28 | out: lpFindFileData=0x1aa5fd28) returned 0x10804988 [0092.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.383] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1aa5fd28 | out: lpFindFileData=0x1aa5fd28) returned 1 [0092.383] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.383] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.383] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1aa5fd28 | out: lpFindFileData=0x1aa5fd28) returned 1 [0092.383] lstrcmpW (lpString1=".", lpString2="MachineKeys") returned -1 [0092.383] lstrcmpW (lpString1="..", lpString2="MachineKeys") returned -1 [0092.383] lstrcmpiW (lpString1="windows", lpString2="MachineKeys") returned 1 [0092.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*" [0092.383] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*") returned 43 [0092.383] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\", lpString2="MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" [0092.383] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*" [0092.383] GlobalMemoryStatus (in: lpBuffer=0x1aa5fd08 | out: lpBuffer=0x1aa5fd08) [0092.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e41980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e8 [0092.384] CloseHandle (hObject=0x4e8) returned 1 [0092.384] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1aa5fd28 | out: lpFindFileData=0x1aa5fd28) returned 0 [0092.384] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 358 os_tid = 0xbf4 [0091.980] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*.*", lpFindFileData=0x1ab9fd28 | out: lpFindFileData=0x1ab9fd28) returned 0x10804988 [0092.505] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.505] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1ab9fd28 | out: lpFindFileData=0x1ab9fd28) returned 1 [0092.505] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.505] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.505] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1ab9fd28 | out: lpFindFileData=0x1ab9fd28) returned 0 [0092.505] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 359 os_tid = 0xbfc [0091.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*.*", lpFindFileData=0x1acdfd28 | out: lpFindFileData=0x1acdfd28) returned 0x10804988 [0092.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.504] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1acdfd28 | out: lpFindFileData=0x1acdfd28) returned 1 [0092.504] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.504] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1acdfd28 | out: lpFindFileData=0x1acdfd28) returned 1 [0092.504] lstrcmpW (lpString1=".", lpString2="WindowsAIK") returned -1 [0092.504] lstrcmpW (lpString1="..", lpString2="WindowsAIK") returned -1 [0092.504] lstrcmpiW (lpString1="windows", lpString2="WindowsAIK") returned -1 [0092.504] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*.*" [0092.504] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*.*") returned 46 [0092.504] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\", lpString2="WindowsAIK" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" [0092.504] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*" [0092.504] GlobalMemoryStatus (in: lpBuffer=0x1acdfd08 | out: lpBuffer=0x1acdfd08) [0092.504] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8bc8f50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0092.505] CloseHandle (hObject=0x398) returned 1 [0092.505] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1acdfd28 | out: lpFindFileData=0x1acdfd28) returned 0 [0092.505] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 360 os_tid = 0x984 [0091.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x1ae1fd28 | out: lpFindFileData=0x1ae1fd28) returned 0x10804988 [0092.506] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.506] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1ae1fd28 | out: lpFindFileData=0x1ae1fd28) returned 1 [0092.506] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.506] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1ae1fd28 | out: lpFindFileData=0x1ae1fd28) returned 1 [0092.506] lstrcmpW (lpString1=".", lpString2="MachineKeys") returned -1 [0092.506] lstrcmpW (lpString1="..", lpString2="MachineKeys") returned -1 [0092.506] lstrcmpiW (lpString1="windows", lpString2="MachineKeys") returned 1 [0092.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" [0092.506] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned 43 [0092.506] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\", lpString2="MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" [0092.506] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*" [0092.506] GlobalMemoryStatus (in: lpBuffer=0x1ae1fd08 | out: lpBuffer=0x1ae1fd08) [0092.506] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ede3f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0092.507] CloseHandle (hObject=0x398) returned 1 [0092.507] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1ae1fd28 | out: lpFindFileData=0x1ae1fd28) returned 1 [0092.507] lstrcmpW (lpString1=".", lpString2="S-1-5-18") returned -1 [0092.507] lstrcmpW (lpString1="..", lpString2="S-1-5-18") returned -1 [0092.507] lstrcmpiW (lpString1="windows", lpString2="S-1-5-18") returned 1 [0092.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" [0092.507] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned 43 [0092.507] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\", lpString2="S-1-5-18" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18" [0092.507] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0092.507] GlobalMemoryStatus (in: lpBuffer=0x1ae1fd08 | out: lpBuffer=0x1ae1fd08) [0092.507] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ef6458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0092.508] CloseHandle (hObject=0x398) returned 1 [0092.508] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1ae1fd28 | out: lpFindFileData=0x1ae1fd28) returned 0 [0092.508] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 361 os_tid = 0x980 [0091.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*", lpFindFileData=0x1af5fd28 | out: lpFindFileData=0x1af5fd28) returned 0x10804988 [0092.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.509] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1af5fd28 | out: lpFindFileData=0x1af5fd28) returned 1 [0092.509] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.509] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1af5fd28 | out: lpFindFileData=0x1af5fd28) returned 1 [0092.509] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*" [0092.509] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*") returned 50 [0092.509] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\How To Restore Files.hta" [0092.509] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\how to restore files.hta")) returned 0xffffffff [0092.509] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0094.553] WriteFile (in: hFile=0x320, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1af5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1af5fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.554] CloseHandle (hObject=0x320) returned 1 [0094.554] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.930] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848") returned 1 [0094.930] lstrlenW (lpString="6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848") returned 69 [0094.930] lstrcmpiW (lpString1=".LyaS", lpString2="20848") returned -1 [0094.930] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*" [0094.930] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*.*") returned 50 [0094.930] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\", lpString2="6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848" [0094.930] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848" [0094.930] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-Br3n0G72wUb8CejT.LyaS" [0094.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-br3n0g72wub8cejt.lyas")) returned 1 [0095.084] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d4 [0095.084] CreateFileMappingA (hFile=0x5d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4ac [0095.084] CryptAcquireContextA (in: phProv=0x1af5fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1af5fce4*=0x1083cd28) returned 1 [0095.085] CryptGenKey (in: hProv=0x1083cd28, Algid=0x6610, dwFlags=0x1, phKey=0x1af5fce0 | out: phKey=0x1af5fce0*=0x5c90d0) returned 1 [0095.085] CryptExportKey (in: hKey=0x5c90d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1af5fbdc, pdwDataLen=0x1af5fcdc | out: pbData=0x1af5fbdc*, pdwDataLen=0x1af5fcdc*=0x2c) returned 1 [0095.085] MapViewOfFile (hFileMappingObject=0x4ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x600) returned 0x31e0000 [0096.350] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1af5fbdc*, pdwDataLen=0x1af5fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x1af5fbdc*, pdwDataLen=0x1af5fcf0*=0x100) returned 1 [0096.351] CryptEncrypt (in: hKey=0x5c90d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31e0000*, pdwDataLen=0x1af5fcdc*=0x600, dwBufLen=0x600 | out: pbData=0x31e0000*, pdwDataLen=0x1af5fcdc*=0x600) returned 1 [0096.351] UnmapViewOfFile (lpBaseAddress=0x31e0000) returned 1 [0096.351] CloseHandle (hObject=0x4ac) returned 1 [0096.351] CryptDestroyKey (hKey=0x5c90d0) returned 1 [0096.351] CryptReleaseContext (hProv=0x1083cd28, dwFlags=0x0) returned 1 [0096.351] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.351] WriteFile (in: hFile=0x5d4, lpBuffer=0x1af5fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1af5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x1af5fbdc*, lpNumberOfBytesWritten=0x1af5fcf0*=0x100, lpOverlapped=0x0) returned 1 [0096.625] WriteFile (in: hFile=0x5d4, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1af5fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x1af5fcf0*=0x500, lpOverlapped=0x0) returned 1 [0096.625] CloseHandle (hObject=0x5d4) returned 1 [0096.626] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0101.012] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1af5fd28 | out: lpFindFileData=0x1af5fd28) returned 0 [0101.012] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 362 os_tid = 0xa7c [0091.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*", lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 0x2c9e9c8 [0092.813] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.813] FindNextFileW (in: hFindFile=0x2c9e9c8, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0092.813] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.813] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.813] FindNextFileW (in: hFindFile=0x2c9e9c8, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 1 [0092.813] lstrcpyW (in: lpString1=0x89c0668, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*" [0092.813] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*") returned 48 [0092.813] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta" [0092.813] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\how to restore files.hta")) returned 0xffffffff [0092.813] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x584 [0092.814] WriteFile (in: hFile=0x584, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x740fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x740fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.815] CloseHandle (hObject=0x584) returned 1 [0092.815] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.931] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ppcrlconfig600.dll") returned -1 [0094.933] lstrlenW (lpString="ppcrlconfig600.dll") returned 18 [0094.933] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*" [0094.933] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*.*") returned 48 [0094.933] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\", lpString2="ppcrlconfig600.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" [0094.933] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" [0094.933] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS" [0094.933] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll id-br3n0g72wub8cejt.lyas")) returned 1 [0095.157] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x61c [0095.160] CreateFileMappingA (hFile=0x61c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x470 [0095.160] CryptAcquireContextA (in: phProv=0x740fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x740fce4*=0x1083d1f0) returned 1 [0095.161] CryptGenKey (in: hProv=0x1083d1f0, Algid=0x6610, dwFlags=0x1, phKey=0x740fce0 | out: phKey=0x740fce0*=0x5c8dd0) returned 1 [0095.161] CryptExportKey (in: hKey=0x5c8dd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x740fbdc, pdwDataLen=0x740fcdc | out: pbData=0x740fbdc*, pdwDataLen=0x740fcdc*=0x2c) returned 1 [0095.161] MapViewOfFile (hFileMappingObject=0x470, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ec0) returned 0x31f0000 [0096.352] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x740fbdc*, pdwDataLen=0x740fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x740fbdc*, pdwDataLen=0x740fcf0*=0x100) returned 1 [0096.352] CryptEncrypt (in: hKey=0x5c8dd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31f0000, pdwDataLen=0x740fcdc*=0x5ec0, dwBufLen=0x5ec0 | out: pbData=0x31f0000*, pdwDataLen=0x740fcdc*=0x5ec0) returned 1 [0096.353] UnmapViewOfFile (lpBaseAddress=0x31f0000) returned 1 [0096.353] CloseHandle (hObject=0x470) returned 1 [0096.354] CryptDestroyKey (hKey=0x5c8dd0) returned 1 [0096.354] CryptReleaseContext (hProv=0x1083d1f0, dwFlags=0x0) returned 1 [0096.354] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.354] WriteFile (in: hFile=0x61c, lpBuffer=0x740fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x740fcf0, lpOverlapped=0x0 | out: lpBuffer=0x740fbdc*, lpNumberOfBytesWritten=0x740fcf0*=0x100, lpOverlapped=0x0) returned 1 [0096.616] WriteFile (in: hFile=0x61c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x740fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x740fcf0*=0x500, lpOverlapped=0x0) returned 1 [0096.617] CloseHandle (hObject=0x61c) returned 1 [0096.623] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0096.624] FindNextFileW (in: hFindFile=0x2c9e9c8, lpFindFileData=0x740fd28 | out: lpFindFileData=0x740fd28) returned 0 [0096.624] FindClose (in: hFindFile=0x2c9e9c8 | out: hFindFile=0x2c9e9c8) returned 1 Thread: id = 363 os_tid = 0xa60 [0091.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*", lpFindFileData=0x7e0fd28 | out: lpFindFileData=0x7e0fd28) returned 0x108058c8 [0092.810] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.810] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x7e0fd28 | out: lpFindFileData=0x7e0fd28) returned 1 [0092.810] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.810] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.810] FindNextFileW (in: hFindFile=0x108058c8, lpFindFileData=0x7e0fd28 | out: lpFindFileData=0x7e0fd28) returned 1 [0092.810] lstrcpyW (in: lpString1=0x89b8660, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*" [0092.810] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*") returned 55 [0092.810] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta" [0092.810] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\how to restore files.hta")) returned 0xffffffff [0092.811] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0094.570] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x7e0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7e0fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.571] CloseHandle (hObject=0x354) returned 1 [0094.571] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.927] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ppcrlconfig600.dll") returned -1 [0094.927] lstrlenW (lpString="ppcrlconfig600.dll") returned 18 [0094.927] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*" [0094.927] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*.*") returned 55 [0094.927] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\", lpString2="ppcrlconfig600.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" [0094.927] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" [0094.927] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS" [0094.927] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll id-br3n0g72wub8cejt.lyas")) returned 1 [0096.630] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0096.630] CreateFileMappingA (hFile=0x388, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x414 [0096.630] CryptAcquireContextA (in: phProv=0x7e0fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x7e0fce4*=0x1083d7c8) returned 1 [0096.631] CryptGenKey (in: hProv=0x1083d7c8, Algid=0x6610, dwFlags=0x1, phKey=0x7e0fce0 | out: phKey=0x7e0fce0*=0x5c8dd0) returned 1 [0096.631] CryptExportKey (in: hKey=0x5c8dd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x7e0fbdc, pdwDataLen=0x7e0fcdc | out: pbData=0x7e0fbdc*, pdwDataLen=0x7e0fcdc*=0x2c) returned 1 [0096.631] MapViewOfFile (hFileMappingObject=0x414, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x60e0) returned 0x30c0000 [0099.093] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x7e0fbdc*, pdwDataLen=0x7e0fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x7e0fbdc*, pdwDataLen=0x7e0fcf0*=0x100) returned 1 [0099.094] CryptEncrypt (in: hKey=0x5c8dd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30c0000, pdwDataLen=0x7e0fcdc*=0x60e0, dwBufLen=0x60e0 | out: pbData=0x30c0000*, pdwDataLen=0x7e0fcdc*=0x60e0) returned 1 [0099.094] UnmapViewOfFile (lpBaseAddress=0x30c0000) returned 1 [0099.095] CloseHandle (hObject=0x414) returned 1 [0099.095] CryptDestroyKey (hKey=0x5c8dd0) returned 1 [0099.095] CryptReleaseContext (hProv=0x1083d7c8, dwFlags=0x0) returned 1 [0099.095] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.095] WriteFile (hFile=0x388, lpBuffer=0x7e0fbdc, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x7e0fcf0, lpOverlapped=0x0) Thread: id = 364 os_tid = 0xa80 [0091.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 0x2c9e788 [0093.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.280] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 1 [0093.280] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.280] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 1 [0093.280] lstrcmpW (lpString1=".", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned -1 [0093.280] lstrcmpW (lpString1="..", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned -1 [0093.280] lstrcmpiW (lpString1="windows", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 1 [0094.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" [0094.116] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned 52 [0094.116] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0094.116] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0094.116] GlobalMemoryStatus (in: lpBuffer=0x7ccfd08 | out: lpBuffer=0x7ccfd08) [0094.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a703f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0094.117] CloseHandle (hObject=0x46c) returned 1 [0094.117] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 1 [0094.117] lstrcmpW (lpString1=".", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned -1 [0094.117] lstrcmpW (lpString1="..", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned -1 [0094.117] lstrcmpiW (lpString1="windows", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 1 [0094.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" [0094.117] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned 52 [0094.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0094.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0094.117] GlobalMemoryStatus (in: lpBuffer=0x7ccfd08 | out: lpBuffer=0x7ccfd08) [0094.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c10ae8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0094.118] CloseHandle (hObject=0x46c) returned 1 [0094.119] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x7ccfd28 | out: lpFindFileData=0x7ccfd28) returned 0 [0094.119] FindClose (in: hFindFile=0x2c9e788 | out: hFindFile=0x2c9e788) returned 1 Thread: id = 365 os_tid = 0xa50 [0091.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x1b09fd28 | out: lpFindFileData=0x1b09fd28) returned 0x2c9ed88 [0093.425] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.425] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1b09fd28 | out: lpFindFileData=0x1b09fd28) returned 1 [0093.488] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.488] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1b09fd28 | out: lpFindFileData=0x1b09fd28) returned 1 [0093.488] lstrcmpW (lpString1=".", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned -1 [0093.488] lstrcmpW (lpString1="..", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned -1 [0093.488] lstrcmpiW (lpString1="windows", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 1 [0093.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" [0093.488] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned 50 [0093.488] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0093.488] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0093.488] GlobalMemoryStatus (in: lpBuffer=0x1b09fd08 | out: lpBuffer=0x1b09fd08) [0093.489] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10fb6798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x650 [0093.489] CloseHandle (hObject=0x650) returned 1 [0093.489] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1b09fd28 | out: lpFindFileData=0x1b09fd28) returned 1 [0093.489] lstrcmpW (lpString1=".", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned -1 [0093.489] lstrcmpW (lpString1="..", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned -1 [0093.489] lstrcmpiW (lpString1="windows", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 1 [0093.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" [0093.498] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned 50 [0093.498] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0093.498] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0093.498] GlobalMemoryStatus (in: lpBuffer=0x1b09fd08 | out: lpBuffer=0x1b09fd08) [0093.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20d60048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x650 [0093.498] CloseHandle (hObject=0x650) returned 1 [0093.498] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x1b09fd28 | out: lpFindFileData=0x1b09fd28) returned 0 [0093.499] FindClose (in: hFindFile=0x2c9ed88 | out: hFindFile=0x2c9ed88) returned 1 Thread: id = 366 os_tid = 0x2e4 [0091.987] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*.*", lpFindFileData=0x768fd28 | out: lpFindFileData=0x768fd28) returned 0x10804988 [0092.378] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.378] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x768fd28 | out: lpFindFileData=0x768fd28) returned 1 [0092.378] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.378] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.378] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x768fd28 | out: lpFindFileData=0x768fd28) returned 0 [0092.378] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 367 os_tid = 0x2cc [0091.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*", lpFindFileData=0x754fd28 | out: lpFindFileData=0x754fd28) returned 0x2c9e5c8 [0093.297] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.297] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x754fd28 | out: lpFindFileData=0x754fd28) returned 1 [0093.297] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.297] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.297] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x754fd28 | out: lpFindFileData=0x754fd28) returned 1 [0093.297] lstrcmpW (lpString1=".", lpString2="ApplicationViewsRootNode") returned -1 [0093.297] lstrcmpW (lpString1="..", lpString2="ApplicationViewsRootNode") returned -1 [0093.297] lstrcmpiW (lpString1="windows", lpString2="ApplicationViewsRootNode") returned 1 [0094.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*" [0094.059] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*") returned 51 [0094.059] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\", lpString2="ApplicationViewsRootNode" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" [0094.059] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*" [0094.059] GlobalMemoryStatus (in: lpBuffer=0x754fd08 | out: lpBuffer=0x754fd08) [0094.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106984c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0094.060] CloseHandle (hObject=0x4d0) returned 1 [0094.060] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x754fd28 | out: lpFindFileData=0x754fd28) returned 0 [0094.060] FindClose (in: hFindFile=0x2c9e5c8 | out: hFindFile=0x2c9e5c8) returned 1 Thread: id = 368 os_tid = 0xb20 [0091.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*.*", lpFindFileData=0x7b8fd28 | out: lpFindFileData=0x7b8fd28) returned 0x2c9e808 [0093.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.281] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x7b8fd28 | out: lpFindFileData=0x7b8fd28) returned 1 [0093.281] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.281] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x7b8fd28 | out: lpFindFileData=0x7b8fd28) returned 0 [0093.281] FindClose (in: hFindFile=0x2c9e808 | out: hFindFile=0x2c9e808) returned 1 Thread: id = 369 os_tid = 0xb18 [0091.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*", lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 0x10804e48 [0092.364] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.364] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0092.364] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.364] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.364] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 1 [0092.364] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*" [0092.364] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned 52 [0092.364] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta" [0092.364] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\how to restore files.hta")) returned 0xffffffff [0092.364] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ac [0094.544] WriteFile (in: hFile=0x4ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2e7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e7fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.545] CloseHandle (hObject=0x4ac) returned 1 [0094.546] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0095.209] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="17dfc292991c7c24.timestamp") returned 1 [0095.209] lstrlenW (lpString="17dfc292991c7c24.timestamp") returned 26 [0095.209] lstrcmpiW (lpString1=".LyaS", lpString2="stamp") returned -1 [0095.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*" [0095.210] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned 52 [0095.210] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\", lpString2="17dfc292991c7c24.timestamp" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp" [0095.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp" [0095.210] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-Br3n0G72wUb8CejT.LyaS" [0095.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-br3n0g72wub8cejt.lyas")) returned 1 [0095.211] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0095.211] CreateFileMappingA (hFile=0x5b4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4b4 [0095.211] CryptAcquireContextA (in: phProv=0x2e7fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2e7fce4*=0x1083d058) returned 1 [0095.212] CryptGenKey (in: hProv=0x1083d058, Algid=0x6610, dwFlags=0x1, phKey=0x2e7fce0 | out: phKey=0x2e7fce0*=0x5c8f10) returned 1 [0095.212] CryptExportKey (in: hKey=0x5c8f10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2e7fbdc, pdwDataLen=0x2e7fcdc | out: pbData=0x2e7fbdc*, pdwDataLen=0x2e7fcdc*=0x2c) returned 1 [0095.212] MapViewOfFile (hFileMappingObject=0x4b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x20) returned 0x4dd0000 [0095.239] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2e7fbdc*, pdwDataLen=0x2e7fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x2e7fbdc*, pdwDataLen=0x2e7fcf0*=0x100) returned 1 [0095.239] CryptEncrypt (in: hKey=0x5c8f10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4dd0000*, pdwDataLen=0x2e7fcdc*=0x20, dwBufLen=0x20 | out: pbData=0x4dd0000*, pdwDataLen=0x2e7fcdc*=0x20) returned 1 [0095.239] UnmapViewOfFile (lpBaseAddress=0x4dd0000) returned 1 [0095.239] CloseHandle (hObject=0x4b4) returned 1 [0095.239] CryptDestroyKey (hKey=0x5c8f10) returned 1 [0095.240] CryptReleaseContext (hProv=0x1083d058, dwFlags=0x0) returned 1 [0095.240] SetFilePointerEx (in: hFile=0x5b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.240] WriteFile (in: hFile=0x5b4, lpBuffer=0x2e7fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2e7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x2e7fbdc*, lpNumberOfBytesWritten=0x2e7fcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.241] WriteFile (in: hFile=0x5b4, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2e7fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x2e7fcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.245] CloseHandle (hObject=0x5b4) returned 1 [0095.247] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c24.timestamp id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0095.247] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0x2e7fd28 | out: lpFindFileData=0x2e7fd28) returned 0 [0095.247] FindClose (in: hFindFile=0x10804e48 | out: hFindFile=0x10804e48) returned 1 Thread: id = 370 os_tid = 0xa44 [0091.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*", lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 0x10804e88 [0092.365] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.365] FindNextFileW (in: hFindFile=0x10804e88, lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 1 [0092.365] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.366] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.366] FindNextFileW (in: hFindFile=0x10804e88, lpFindFileData=0x35bfd28 | out: lpFindFileData=0x35bfd28) returned 1 [0092.366] lstrcpyW (in: lpString1=0x5b30738, lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*" [0092.366] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*") returned 51 [0092.366] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta" [0092.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\how to restore files.hta")) returned 0xffffffff [0092.366] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4dc [0092.368] WriteFile (in: hFile=0x4dc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x35bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x35bfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0092.369] CloseHandle (hObject=0x4dc) returned 1 [0092.369] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0092.370] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="baseimagefam8") returned 1 [0092.370] lstrlenW (lpString="baseimagefam8") returned 13 [0092.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*" [0092.370] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*.*") returned 51 [0092.370] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\", lpString2="baseimagefam8" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8" [0092.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8" [0092.370] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8 id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8 id-Br3n0G72wUb8CejT.LyaS" [0092.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\baseimagefam8"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\baseimagefam8 id-br3n0g72wub8cejt.lyas")) returned 1 [0094.552] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8 id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\baseimagefam8 id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0094.552] CreateFileMappingA (hFile=0x5bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4ac [0094.552] CryptAcquireContextA (in: phProv=0x35bfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x35bfce4*=0x1083d5a8) returned 1 [0094.935] CryptGenKey (in: hProv=0x1083d5a8, Algid=0x6610, dwFlags=0x1, phKey=0x35bfce0 | out: phKey=0x35bfce0*=0x5c8dd0) returned 1 [0094.935] CryptExportKey (in: hKey=0x5c8dd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x35bfbdc, pdwDataLen=0x35bfcdc | out: pbData=0x35bfbdc*, pdwDataLen=0x35bfcdc*=0x2c) returned 1 [0094.935] MapViewOfFile (hFileMappingObject=0x4ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x280f0000 [0094.961] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35bfbdc*, pdwDataLen=0x35bfcf0*=0x40, dwBufLen=0x100 | out: pbData=0x35bfbdc*, pdwDataLen=0x35bfcf0*=0x100) returned 1 [0094.962] CryptEncrypt (in: hKey=0x5c8dd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x280f0000, pdwDataLen=0x35bfcdc*=0x100000, dwBufLen=0x100000 | out: pbData=0x280f0000*, pdwDataLen=0x35bfcdc*=0x100000) returned 1 [0095.010] UnmapViewOfFile (lpBaseAddress=0x280f0000) returned 1 [0095.020] CloseHandle (hObject=0x4ac) returned 1 [0095.021] CryptDestroyKey (hKey=0x5c8dd0) returned 1 [0095.021] CryptReleaseContext (hProv=0x1083d5a8, dwFlags=0x0) returned 1 [0095.021] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.021] WriteFile (in: hFile=0x5bc, lpBuffer=0x35bfbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x35bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x35bfbdc*, lpNumberOfBytesWritten=0x35bfcf0*=0x100, lpOverlapped=0x0) returned 1 [0095.029] WriteFile (in: hFile=0x5bc, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x35bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x35bfcf0*=0x500, lpOverlapped=0x0) returned 1 [0095.029] CloseHandle (hObject=0x5bc) Thread: id = 371 os_tid = 0x41c [0091.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*", lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 0x10804cc8 [0092.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.228] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 1 [0092.228] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.228] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x3bffd28 | out: lpFindFileData=0x3bffd28) returned 1 [0092.228] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*" [0092.228] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*") returned 43 [0092.228] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\How To Restore Files.hta" [0092.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\How To Restore Files.hta" (normalized: "c:\\programdata\\oracle\\java\\javapath\\how to restore files.hta")) returned 0xffffffff [0092.229] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\How To Restore Files.hta" (normalized: "c:\\programdata\\oracle\\java\\javapath\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a4 [0096.349] WriteFile (in: hFile=0x2a4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x3bffcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3bffcf0*=0x38e, lpOverlapped=0x0) returned 1 [0096.627] CloseHandle (hObject=0x2a4) returned 1 [0096.628] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0096.993] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="java.exe") returned -1 [0096.993] lstrlenW (lpString="java.exe") returned 8 [0096.993] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*" [0096.994] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*.*") returned 43 [0096.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\", lpString2="java.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe" [0096.994] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe" [0096.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe id-Br3n0G72wUb8CejT.LyaS" [0096.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\java.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\oracle\\java\\javapath\\java.exe id-br3n0g72wub8cejt.lyas")) Thread: id = 372 os_tid = 0x754 [0091.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*", lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 0x5c8710 [0096.267] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.267] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0096.727] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0096.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.727] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0096.991] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*" [0096.991] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*") returned 58 [0096.991] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\How To Restore Files.hta" [0096.991] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\How To Restore Files.hta" (normalized: "c:\\programdata\\oracle\\java\\javapath_target_5923062\\how to restore files.hta")) returned 0x1 [0096.991] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0096.991] FindNextFileW (in: hFindFile=0x5c8710, lpFindFileData=0x3d3fd28 | out: lpFindFileData=0x3d3fd28) returned 1 [0096.991] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*" [0096.991] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*") returned 58 [0096.991] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\How To Restore Files.hta" [0096.991] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\How To Restore Files.hta" (normalized: "c:\\programdata\\oracle\\java\\javapath_target_5923062\\how to restore files.hta")) returned 0x1 [0096.992] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="java.exe") returned -1 [0096.992] lstrlenW (lpString="java.exe") returned 8 [0096.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*" [0096.992] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\*.*") returned 58 [0096.992] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\", lpString2="java.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe" [0096.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe" [0096.992] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe id-Br3n0G72wUb8CejT.LyaS" [0096.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath_target_5923062\\java.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_5923062\\java.exe id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\oracle\\java\\javapath_target_5923062\\java.exe id-br3n0g72wub8cejt.lyas")) Thread: id = 373 os_tid = 0xc08 [0091.991] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*.*", lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 0x2c9ec88 [0093.425] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.425] FindNextFileW (in: hFindFile=0x2c9ec88, lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 1 [0093.499] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.499] FindNextFileW (in: hFindFile=0x2c9ec88, lpFindFileData=0x624fd28 | out: lpFindFileData=0x624fd28) returned 0 [0093.499] FindClose (in: hFindFile=0x2c9ec88 | out: hFindFile=0x2c9ec88) returned 1 Thread: id = 374 os_tid = 0xc4c [0091.991] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*", lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 0x5c9410 [0094.290] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.290] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0094.290] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.291] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0094.291] lstrcpyW (in: lpString1=0x8da96b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0094.291] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0094.291] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0094.291] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0xffffffff [0094.291] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0094.584] WriteFile (in: hFile=0x4ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x6a0fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6a0fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.585] CloseHandle (hObject=0x4ec) returned 1 [0094.585] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.921] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WINDOWS.DIAGNOSTICS.xml") returned -1 [0094.921] lstrlenW (lpString="WINDOWS.DIAGNOSTICS.xml") returned 23 [0094.921] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0094.921] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0094.921] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.DIAGNOSTICS.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml" [0094.921] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml" [0094.921] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml id-Br3n0G72wUb8CejT.LyaS" [0094.921] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0096.320] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0097.236] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0097.236] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0097.236] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0097.236] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0x1 [0097.237] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WINDOWS.DIAGNOSTICS.xml.new") returned -1 [0097.237] lstrlenW (lpString="WINDOWS.DIAGNOSTICS.xml.new") returned 27 [0097.237] lstrcmpiW (lpString1=".LyaS", lpString2="l.new") returned -1 [0097.237] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0097.237] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0097.237] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.DIAGNOSTICS.xml.new" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new" [0097.237] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new" [0097.237] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new id-Br3n0G72wUb8CejT.LyaS" [0097.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml.new"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml.new id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml.new id-br3n0g72wub8cejt.lyas")) returned 0 [0097.241] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0097.241] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0097.241] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0097.241] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0097.241] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0x1 [0097.242] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WINDOWS.PERFTRACKESCALATIONS.xml") returned -1 [0097.242] lstrlenW (lpString="WINDOWS.PERFTRACKESCALATIONS.xml") returned 32 [0097.242] lstrcmpiW (lpString1=".LyaS", lpString2="S.xml") returned -1 [0097.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0097.242] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0097.242] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.PERFTRACKESCALATIONS.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml" [0097.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml" [0097.242] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml id-Br3n0G72wUb8CejT.LyaS" [0097.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0097.242] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0097.242] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0097.242] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0097.242] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0097.242] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0x1 [0097.243] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WINDOWS.PERFTRACKESCALATIONS.xml.new") returned -1 [0097.243] lstrlenW (lpString="WINDOWS.PERFTRACKESCALATIONS.xml.new") returned 36 [0097.243] lstrcmpiW (lpString1=".LyaS", lpString2="l.new") returned -1 [0097.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0097.243] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0097.243] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.PERFTRACKESCALATIONS.xml.new" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new" [0097.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new" [0097.243] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new id-Br3n0G72wUb8CejT.LyaS" [0097.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml.new"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml.new id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml.new id-br3n0g72wub8cejt.lyas")) returned 0 [0097.243] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0097.243] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0097.243] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0097.243] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0097.243] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0x1 [0097.244] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WINDOWS.PERFTRACKPOINTDATA.xml") returned -1 [0097.244] lstrlenW (lpString="WINDOWS.PERFTRACKPOINTDATA.xml") returned 30 [0097.244] lstrcmpiW (lpString1=".LyaS", lpString2="A.xml") returned -1 [0097.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0097.244] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0097.244] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.PERFTRACKPOINTDATA.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml" [0097.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml" [0097.244] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml id-Br3n0G72wUb8CejT.LyaS" [0097.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0098.114] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0098.114] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0098.114] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0098.114] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0098.114] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0x1 [0098.114] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WINDOWS.PERFTRACKPOINTDATA.xml.new") returned -1 [0098.114] lstrlenW (lpString="WINDOWS.PERFTRACKPOINTDATA.xml.new") returned 34 [0098.114] lstrcmpiW (lpString1=".LyaS", lpString2="l.new") returned -1 [0098.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0098.115] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0098.115] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.PERFTRACKPOINTDATA.xml.new" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new" [0098.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new" [0098.115] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new id-Br3n0G72wUb8CejT.LyaS" [0098.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml.new"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml.new id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml.new id-br3n0g72wub8cejt.lyas")) returned 0 [0098.115] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0098.115] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0098.115] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0098.115] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0098.115] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0x1 [0098.115] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WINDOWS.SIUF.xml") returned -1 [0098.115] lstrlenW (lpString="WINDOWS.SIUF.xml") returned 16 [0098.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0098.115] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0098.115] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.SIUF.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml" [0098.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml" [0098.115] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml id-Br3n0G72wUb8CejT.LyaS" [0098.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0098.116] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0098.116] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0098.116] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0098.116] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0098.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0x1 [0098.116] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WINDOWS.SIUF.xml.new") returned -1 [0098.116] lstrlenW (lpString="WINDOWS.SIUF.xml.new") returned 20 [0098.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0098.116] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0098.116] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.SIUF.xml.new" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new" [0098.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new" [0098.116] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new id-Br3n0G72wUb8CejT.LyaS" [0098.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml.new"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml.new id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml.new id-br3n0g72wub8cejt.lyas")) returned 0 [0098.117] FindNextFileW (in: hFindFile=0x5c9410, lpFindFileData=0x6a0fd28 | out: lpFindFileData=0x6a0fd28) returned 1 [0098.117] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0098.117] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0098.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" [0098.117] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\how to restore files.hta")) returned 0x1 [0098.117] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Windows.Uif.static") returned -1 [0098.117] lstrlenW (lpString="Windows.Uif.static") returned 18 [0098.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0098.117] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62 [0098.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="Windows.Uif.static" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" [0098.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" [0098.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static id-Br3n0G72wUb8CejT.LyaS" [0098.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static id-br3n0g72wub8cejt.lyas")) Thread: id = 375 os_tid = 0x5bc [0091.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*", lpFindFileData=0x77cfd28 | out: lpFindFileData=0x77cfd28) returned 0x2c9ee48 [0093.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.440] FindNextFileW (in: hFindFile=0x2c9ee48, lpFindFileData=0x77cfd28 | out: lpFindFileData=0x77cfd28) returned 1 [0093.464] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.464] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.464] FindNextFileW (in: hFindFile=0x2c9ee48, lpFindFileData=0x77cfd28 | out: lpFindFileData=0x77cfd28) returned 1 [0093.464] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" [0093.464] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned 61 [0093.464] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta" [0093.465] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\how to restore files.hta")) returned 0xffffffff [0093.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b4 [0094.615] WriteFile (in: hFile=0x4b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x77cfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x77cfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0094.616] CloseHandle (hObject=0x4b4) returned 1 [0094.616] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0094.892] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="cfc.flights.json") returned 1 [0094.892] lstrlenW (lpString="cfc.flights.json") returned 16 [0094.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" [0094.892] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned 61 [0094.892] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="cfc.flights.json" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json" [0094.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json" [0094.892] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json id-Br3n0G72wUb8CejT.LyaS" [0094.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json id-br3n0g72wub8cejt.lyas")) returned 0 [0096.317] FindNextFileW (in: hFindFile=0x2c9ee48, lpFindFileData=0x77cfd28 | out: lpFindFileData=0x77cfd28) returned 1 [0097.361] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" [0097.361] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned 61 [0097.361] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta" [0097.361] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\how to restore files.hta")) returned 0x1 [0097.362] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="telemetry.ASM-WindowsDefault.json") returned -1 [0097.362] lstrlenW (lpString="telemetry.ASM-WindowsDefault.json") returned 33 [0097.362] lstrcmpiW (lpString1=".LyaS", lpString2=".json") returned 1 [0097.362] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" [0097.362] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned 61 [0097.362] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="telemetry.ASM-WindowsDefault.json" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" [0097.362] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" [0097.362] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json id-Br3n0G72wUb8CejT.LyaS" [0097.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json id-br3n0g72wub8cejt.lyas")) returned 0 [0097.363] FindNextFileW (in: hFindFile=0x2c9ee48, lpFindFileData=0x77cfd28 | out: lpFindFileData=0x77cfd28) returned 1 [0097.363] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" [0097.363] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned 61 [0097.363] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta" [0097.363] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\how to restore files.hta")) returned 0x1 [0097.363] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="telemetry.ASM-WindowsDefault.json.bk") returned -1 [0097.363] lstrlenW (lpString="telemetry.ASM-WindowsDefault.json.bk") returned 36 [0097.363] lstrcmpiW (lpString1=".LyaS", lpString2="on.bk") returned -1 [0097.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" [0097.363] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned 61 [0097.363] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="telemetry.ASM-WindowsDefault.json.bk" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" [0097.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" [0097.363] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk id-Br3n0G72wUb8CejT.LyaS" [0097.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk id-br3n0g72wub8cejt.lyas")) Thread: id = 376 os_tid = 0x7fc [0091.993] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*", lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 0x2c9edc8 [0093.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.426] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 1 [0093.474] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.474] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 1 [0093.475] lstrcmpW (lpString1=".", lpString2="AutoLogger") returned -1 [0093.475] lstrcmpW (lpString1="..", lpString2="AutoLogger") returned -1 [0093.475] lstrcmpiW (lpString1="windows", lpString2="AutoLogger") returned 1 [0093.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*" [0093.475] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned 50 [0093.475] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\", lpString2="AutoLogger" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" [0093.475] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*" [0093.475] GlobalMemoryStatus (in: lpBuffer=0x7a4fd08 | out: lpBuffer=0x7a4fd08) [0093.476] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x114fbcd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x654 [0093.476] CloseHandle (hObject=0x654) returned 1 [0093.476] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 1 [0093.476] lstrcmpW (lpString1=".", lpString2="ShutdownLogger") returned -1 [0093.476] lstrcmpW (lpString1="..", lpString2="ShutdownLogger") returned -1 [0093.476] lstrcmpiW (lpString1="windows", lpString2="ShutdownLogger") returned 1 [0093.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*" [0093.482] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned 50 [0093.482] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\", lpString2="ShutdownLogger" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" [0093.483] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*" [0093.483] GlobalMemoryStatus (in: lpBuffer=0x7a4fd08 | out: lpBuffer=0x7a4fd08) [0093.483] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11513d40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x654 [0093.483] CloseHandle (hObject=0x654) returned 1 [0093.484] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0x7a4fd28 | out: lpFindFileData=0x7a4fd28) returned 0 [0093.484] FindClose (in: hFindFile=0x2c9edc8 | out: hFindFile=0x2c9edc8) returned 1 Thread: id = 377 os_tid = 0xcec [0091.993] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\*.*", lpFindFileData=0x1b1dfd28 | out: lpFindFileData=0x1b1dfd28) returned 0x10804cc8 [0092.218] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.218] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1b1dfd28 | out: lpFindFileData=0x1b1dfd28) returned 1 [0092.218] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.218] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.218] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1b1dfd28 | out: lpFindFileData=0x1b1dfd28) returned 0 [0092.218] FindClose (in: hFindFile=0x10804cc8 | out: hFindFile=0x10804cc8) returned 1 Thread: id = 378 os_tid = 0xd08 [0091.993] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\*.*", lpFindFileData=0x1b31fd28 | out: lpFindFileData=0x1b31fd28) returned 0x10804cc8 [0092.219] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.219] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1b31fd28 | out: lpFindFileData=0x1b31fd28) returned 1 [0092.219] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.219] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.219] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1b31fd28 | out: lpFindFileData=0x1b31fd28) returned 0 [0092.219] FindClose (in: hFindFile=0x10804cc8 | out: hFindFile=0x10804cc8) returned 1 Thread: id = 379 os_tid = 0xcf8 [0091.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*", lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 0x2c9e888 [0093.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.289] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0093.289] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.289] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0093.289] lstrcmpW (lpString1=".", lpString2="Reader_15.007.20033") returned -1 [0093.289] lstrcmpW (lpString1="..", lpString2="Reader_15.007.20033") returned -1 [0093.289] lstrcmpiW (lpString1="windows", lpString2="Reader_15.007.20033") returned 1 [0094.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0094.073] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned 36 [0094.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="Reader_15.007.20033" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033" [0094.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\*.*" [0094.073] GlobalMemoryStatus (in: lpBuffer=0x804fd08 | out: lpBuffer=0x804fd08) [0094.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10da5e58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x59c [0094.074] CloseHandle (hObject=0x59c) returned 1 [0094.074] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0094.074] lstrcmpW (lpString1=".", lpString2="Reader_15.023.20070") returned -1 [0094.074] lstrcmpW (lpString1="..", lpString2="Reader_15.023.20070") returned -1 [0094.074] lstrcmpiW (lpString1="windows", lpString2="Reader_15.023.20070") returned 1 [0094.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0094.079] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned 36 [0094.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="Reader_15.023.20070" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070" [0094.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\*.*" [0094.079] GlobalMemoryStatus (in: lpBuffer=0x804fd08 | out: lpBuffer=0x804fd08) [0094.079] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x213a9278, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x59c [0094.080] CloseHandle (hObject=0x59c) returned 1 [0094.080] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0094.080] lstrcmpW (lpString1=".", lpString2="Reader_17.009.20058") returned -1 [0094.080] lstrcmpW (lpString1="..", lpString2="Reader_17.009.20058") returned -1 [0094.080] lstrcmpiW (lpString1="windows", lpString2="Reader_17.009.20058") returned 1 [0094.081] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0094.081] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned 36 [0094.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="Reader_17.009.20058" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.009.20058") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.009.20058" [0094.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.009.20058", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.009.20058\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.009.20058\\*.*" [0094.081] GlobalMemoryStatus (in: lpBuffer=0x804fd08 | out: lpBuffer=0x804fd08) [0094.082] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x213c12e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x59c [0094.083] CloseHandle (hObject=0x59c) returned 1 [0094.083] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0094.083] lstrcmpW (lpString1=".", lpString2="Reader_17.012.20098") returned -1 [0094.083] lstrcmpW (lpString1="..", lpString2="Reader_17.012.20098") returned -1 [0094.083] lstrcmpiW (lpString1="windows", lpString2="Reader_17.012.20098") returned 1 [0094.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0094.087] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned 36 [0094.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="Reader_17.012.20098" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.012.20098") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.012.20098" [0094.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.012.20098", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.012.20098\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_17.012.20098\\*.*" [0094.088] GlobalMemoryStatus (in: lpBuffer=0x804fd08 | out: lpBuffer=0x804fd08) [0094.088] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x213d9348, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x59c [0094.089] CloseHandle (hObject=0x59c) returned 1 [0094.089] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0094.089] lstrcmpW (lpString1=".", lpString2="S") returned -1 [0094.089] lstrcmpW (lpString1="..", lpString2="S") returned -1 [0094.089] lstrcmpiW (lpString1="windows", lpString2="S") returned 1 [0094.093] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0094.093] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned 36 [0094.093] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="S" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S" [0094.093] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\*.*" [0094.093] GlobalMemoryStatus (in: lpBuffer=0x804fd08 | out: lpBuffer=0x804fd08) [0094.093] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x213f13b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x59c [0094.094] CloseHandle (hObject=0x59c) returned 1 [0094.094] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 1 [0094.094] lstrcmpW (lpString1=".", lpString2="{291AA914-A987-4CE9-BD63-AC0A92D435E5}") returned -1 [0094.094] lstrcmpW (lpString1="..", lpString2="{291AA914-A987-4CE9-BD63-AC0A92D435E5}") returned -1 [0094.094] lstrcmpiW (lpString1="windows", lpString2="{291AA914-A987-4CE9-BD63-AC0A92D435E5}") returned 1 [0094.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0094.099] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned 36 [0094.099] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="{291AA914-A987-4CE9-BD63-AC0A92D435E5}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}" [0094.099] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\\*.*" [0094.099] GlobalMemoryStatus (in: lpBuffer=0x804fd08 | out: lpBuffer=0x804fd08) [0094.099] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21409418, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x59c [0094.100] CloseHandle (hObject=0x59c) returned 1 [0094.100] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x804fd28 | out: lpFindFileData=0x804fd28) returned 0 [0094.100] FindClose (in: hFindFile=0x2c9e888 | out: hFindFile=0x2c9e888) returned 1 Thread: id = 380 os_tid = 0xcfc [0091.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*", lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 0x2c9ef08 [0094.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.289] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 1 [0094.289] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.289] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 1 [0094.289] lstrcmpW (lpString1=".", lpString2="8C296B8E-6699-457C-9415-3D0647E1D775") returned -1 [0094.289] lstrcmpW (lpString1="..", lpString2="8C296B8E-6699-457C-9415-3D0647E1D775") returned -1 [0094.289] lstrcmpiW (lpString1="windows", lpString2="8C296B8E-6699-457C-9415-3D0647E1D775") returned 1 [0094.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" [0094.289] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 47 [0094.289] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="8C296B8E-6699-457C-9415-3D0647E1D775" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775" [0094.289] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*" [0094.289] GlobalMemoryStatus (in: lpBuffer=0x824fd08 | out: lpBuffer=0x824fd08) [0094.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10770868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0094.830] CloseHandle (hObject=0x5b4) returned 1 [0094.830] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 1 [0094.830] lstrcmpW (lpString1=".", lpString2="9D76938C-943D-439F-A135-26D02821EE05") returned -1 [0094.830] lstrcmpW (lpString1="..", lpString2="9D76938C-943D-439F-A135-26D02821EE05") returned -1 [0094.830] lstrcmpiW (lpString1="windows", lpString2="9D76938C-943D-439F-A135-26D02821EE05") returned 1 [0094.847] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" [0094.847] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 47 [0094.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="9D76938C-943D-439F-A135-26D02821EE05" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05" [0094.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*" [0094.847] GlobalMemoryStatus (in: lpBuffer=0x824fd08 | out: lpBuffer=0x824fd08) [0094.847] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d28ea0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x61c [0094.848] CloseHandle (hObject=0x61c) returned 1 [0094.848] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 1 [0094.848] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" [0094.848] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 47 [0094.848] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta" [0094.848] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\how to restore files.hta")) returned 0x1 [0094.849] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DeploymentConfig.0.xml id-Br3n0G72wUb8CejT.LyaS") returned 1 [0094.849] lstrlenW (lpString="DeploymentConfig.0.xml id-Br3n0G72wUb8CejT.LyaS") returned 47 [0094.849] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0094.849] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 1 [0094.849] lstrcpyW (in: lpString1=0x3e3f388, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" [0094.849] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 47 [0094.849] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta" [0094.849] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\how to restore files.hta")) returned 0x1 [0094.849] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DeploymentConfig.1.xml") returned 1 [0094.849] lstrlenW (lpString="DeploymentConfig.1.xml") returned 22 [0094.849] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" [0094.849] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 47 [0094.849] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="DeploymentConfig.1.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" [0094.849] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" [0094.849] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS" [0094.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml id-br3n0g72wub8cejt.lyas")) returned 1 [0094.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x61c [0094.851] CreateFileMappingA (hFile=0x61c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0094.851] CryptAcquireContextA (in: phProv=0x824fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x824fce4*=0x1083cc18) returned 1 [0094.852] CryptGenKey (in: hProv=0x1083cc18, Algid=0x6610, dwFlags=0x1, phKey=0x824fce0 | out: phKey=0x824fce0*=0x5c90d0) returned 1 [0094.852] CryptExportKey (in: hKey=0x5c90d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x824fbdc, pdwDataLen=0x824fcdc | out: pbData=0x824fbdc*, pdwDataLen=0x824fcdc*=0x2c) returned 1 [0094.852] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7a0) returned 0x31d0000 [0094.895] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x824fbdc*, pdwDataLen=0x824fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x824fbdc*, pdwDataLen=0x824fcf0*=0x100) returned 1 [0094.896] CryptEncrypt (in: hKey=0x5c90d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000*, pdwDataLen=0x824fcdc*=0x7a0, dwBufLen=0x7a0 | out: pbData=0x31d0000*, pdwDataLen=0x824fcdc*=0x7a0) returned 1 [0094.896] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0094.896] CloseHandle (hObject=0x5b4) returned 1 [0094.896] CryptDestroyKey (hKey=0x5c90d0) returned 1 [0094.896] CryptReleaseContext (hProv=0x1083cc18, dwFlags=0x0) returned 1 [0094.896] SetFilePointerEx (in: hFile=0x61c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.896] WriteFile (in: hFile=0x61c, lpBuffer=0x824fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x824fcf0, lpOverlapped=0x0 | out: lpBuffer=0x824fbdc*, lpNumberOfBytesWritten=0x824fcf0*=0x100, lpOverlapped=0x0) returned 1 [0094.897] WriteFile (in: hFile=0x61c, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x824fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x824fcf0*=0x500, lpOverlapped=0x0) returned 1 [0094.897] CloseHandle (hObject=0x61c) returned 1 [0094.908] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml id-Br3n0G72wUb8CejT.LyaS", dwFileAttributes=0x1) returned 1 [0094.971] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x824fd28 | out: lpFindFileData=0x824fd28) returned 1 [0094.971] lstrcpyW (in: lpString1=0x105f01e8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" [0094.971] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 47 [0094.971] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta" [0094.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\how to restore files.hta")) returned 0x1 [0094.972] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="DeploymentConfig.2.xml") returned 1 [0094.972] lstrlenW (lpString="DeploymentConfig.2.xml") returned 22 [0094.972] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" [0094.972] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 47 [0094.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="DeploymentConfig.2.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" [0094.972] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" [0094.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml id-Br3n0G72wUb8CejT.LyaS" [0094.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml id-br3n0g72wub8cejt.lyas")) returned 1 [0094.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0094.974] CreateFileMappingA (hFile=0x468, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x354 [0094.974] CryptAcquireContextA (in: phProv=0x824fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x824fce4*=0x1083d960) returned 1 [0094.974] CryptGenKey (in: hProv=0x1083d960, Algid=0x6610, dwFlags=0x1, phKey=0x824fce0 | out: phKey=0x824fce0*=0x5c9350) returned 1 [0094.974] CryptExportKey (in: hKey=0x5c9350, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x824fbdc, pdwDataLen=0x824fcdc | out: pbData=0x824fbdc*, pdwDataLen=0x824fcdc*=0x2c) returned 1 [0094.974] MapViewOfFile (hFileMappingObject=0x354, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x560) returned 0x31d0000 [0096.347] CryptEncrypt (in: hKey=0x5951a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x824fbdc*, pdwDataLen=0x824fcf0*=0x40, dwBufLen=0x100 | out: pbData=0x824fbdc*, pdwDataLen=0x824fcf0*=0x100) returned 1 [0097.228] CryptEncrypt (in: hKey=0x5c9350, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x31d0000*, pdwDataLen=0x824fcdc*=0x560, dwBufLen=0x560 | out: pbData=0x31d0000*, pdwDataLen=0x824fcdc*=0x560) returned 1 [0097.228] UnmapViewOfFile (lpBaseAddress=0x31d0000) returned 1 [0097.228] CloseHandle (hObject=0x354) returned 1 [0097.228] CryptDestroyKey (hKey=0x5c9350) returned 1 [0097.228] CryptReleaseContext (hProv=0x1083d960, dwFlags=0x0) returned 1 [0097.228] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.229] WriteFile (in: hFile=0x468, lpBuffer=0x824fbdc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x824fcf0, lpOverlapped=0x0 | out: lpBuffer=0x824fbdc*, lpNumberOfBytesWritten=0x824fcf0*=0x100, lpOverlapped=0x0) returned 1 [0101.006] WriteFile (in: hFile=0x468, lpBuffer=0x403ca0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x824fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403ca0*, lpNumberOfBytesWritten=0x824fcf0*=0x500, lpOverlapped=0x0) returned 1 [0101.006] CloseHandle (hObject=0x468) Thread: id = 381 os_tid = 0xcdc [0091.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*", lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 0x2c9e488 [0093.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.399] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 1 [0093.399] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.399] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 1 [0093.399] lstrcmpW (lpString1=".", lpString2="DSS") returned -1 [0093.399] lstrcmpW (lpString1="..", lpString2="DSS") returned -1 [0093.399] lstrcmpiW (lpString1="windows", lpString2="DSS") returned 1 [0093.792] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0093.792] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 43 [0093.792] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="DSS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" [0093.792] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*" [0093.792] GlobalMemoryStatus (in: lpBuffer=0x834fd08 | out: lpBuffer=0x834fd08) [0093.792] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11016938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0093.793] CloseHandle (hObject=0x624) returned 1 [0093.793] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 1 [0093.793] lstrcmpW (lpString1=".", lpString2="Keys") returned -1 [0093.793] lstrcmpW (lpString1="..", lpString2="Keys") returned -1 [0093.793] lstrcmpiW (lpString1="windows", lpString2="Keys") returned 1 [0093.798] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0093.798] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 43 [0093.798] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="Keys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" [0093.798] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*" [0093.798] GlobalMemoryStatus (in: lpBuffer=0x834fd08 | out: lpBuffer=0x834fd08) [0093.798] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x210c0680, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0093.799] CloseHandle (hObject=0x624) returned 1 [0093.799] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 1 [0093.799] lstrcmpW (lpString1=".", lpString2="PCPKSP") returned -1 [0093.799] lstrcmpW (lpString1="..", lpString2="PCPKSP") returned -1 [0093.799] lstrcmpiW (lpString1="windows", lpString2="PCPKSP") returned 1 [0093.803] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0093.803] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 43 [0093.803] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="PCPKSP" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP" [0093.803] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*" [0093.803] GlobalMemoryStatus (in: lpBuffer=0x834fd08 | out: lpBuffer=0x834fd08) [0093.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x210d86e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0093.804] CloseHandle (hObject=0x624) returned 1 [0093.804] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 1 [0093.804] lstrcmpW (lpString1=".", lpString2="RSA") returned -1 [0093.804] lstrcmpW (lpString1="..", lpString2="RSA") returned -1 [0093.804] lstrcmpiW (lpString1="windows", lpString2="RSA") returned 1 [0093.808] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0093.808] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 43 [0093.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" [0093.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*" [0093.808] GlobalMemoryStatus (in: lpBuffer=0x834fd08 | out: lpBuffer=0x834fd08) [0093.808] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x210f0750, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0093.809] CloseHandle (hObject=0x624) returned 1 [0093.809] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 1 [0093.809] lstrcmpW (lpString1=".", lpString2="SystemKeys") returned -1 [0093.809] lstrcmpW (lpString1="..", lpString2="SystemKeys") returned -1 [0093.809] lstrcmpiW (lpString1="windows", lpString2="SystemKeys") returned 1 [0093.813] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0093.813] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 43 [0093.813] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="SystemKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys" [0093.813] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*" [0093.813] GlobalMemoryStatus (in: lpBuffer=0x834fd08 | out: lpBuffer=0x834fd08) [0093.813] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x211087b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0093.814] CloseHandle (hObject=0x624) returned 1 [0093.814] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x834fd28 | out: lpFindFileData=0x834fd28) returned 0 [0093.814] FindClose (in: hFindFile=0x2c9e488 | out: hFindFile=0x2c9e488) returned 1 Thread: id = 382 os_tid = 0xd00 [0091.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*.*", lpFindFileData=0x848fd28 | out: lpFindFileData=0x848fd28) returned 0x10804d48 [0092.231] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.231] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x848fd28 | out: lpFindFileData=0x848fd28) returned 1 [0092.231] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.231] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.231] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x848fd28 | out: lpFindFileData=0x848fd28) returned 1 [0092.231] lstrcmpW (lpString1=".", lpString2="PaidWiFi") returned -1 [0092.231] lstrcmpW (lpString1="..", lpString2="PaidWiFi") returned -1 [0092.231] lstrcmpiW (lpString1="windows", lpString2="PaidWiFi") returned 1 [0092.231] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*.*" [0092.231] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*.*") returned 45 [0092.231] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\", lpString2="PaidWiFi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi" [0092.231] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*" [0092.231] GlobalMemoryStatus (in: lpBuffer=0x848fd08 | out: lpBuffer=0x848fd08) [0092.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8c89290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4c0 [0092.232] CloseHandle (hObject=0x4c0) returned 1 [0092.232] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x848fd28 | out: lpFindFileData=0x848fd28) returned 0 [0092.232] FindClose (in: hFindFile=0x10804d48 | out: hFindFile=0x10804d48) returned 1 Thread: id = 383 os_tid = 0x534 [0091.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*", lpFindFileData=0x85cfd28 | out: lpFindFileData=0x85cfd28) returned 0x2c9eec8 [0094.290] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.290] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0x85cfd28 | out: lpFindFileData=0x85cfd28) returned 1 [0094.290] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0094.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.290] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0x85cfd28 | out: lpFindFileData=0x85cfd28) returned 1 [0094.290] lstrcmpW (lpString1=".", lpString2="Device") returned -1 [0094.290] lstrcmpW (lpString1="..", lpString2="Device") returned -1 [0094.290] lstrcmpiW (lpString1="windows", lpString2="Device") returned 1 [0094.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" [0094.290] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned 49 [0094.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Device" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" [0094.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" [0094.290] GlobalMemoryStatus (in: lpBuffer=0x85cfd08 | out: lpBuffer=0x85cfd08) [0094.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d91650, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0094.831] CloseHandle (hObject=0x5b4) returned 1 [0094.831] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0x85cfd28 | out: lpFindFileData=0x85cfd28) returned 1 [0094.831] lstrcmpW (lpString1=".", lpString2="Task") returned -1 [0094.831] lstrcmpW (lpString1="..", lpString2="Task") returned -1 [0094.831] lstrcmpiW (lpString1="windows", lpString2="Task") returned 1 [0094.846] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" [0094.846] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned 49 [0094.846] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Task" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" [0094.846] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" [0094.846] GlobalMemoryStatus (in: lpBuffer=0x85cfd08 | out: lpBuffer=0x85cfd08) [0094.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x214394e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0094.847] CloseHandle (hObject=0x5b4) returned 1 [0094.847] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0x85cfd28 | out: lpFindFileData=0x85cfd28) returned 0 [0094.847] FindClose (in: hFindFile=0x2c9eec8 | out: hFindFile=0x2c9eec8) returned 1 Thread: id = 384 os_tid = 0xb84 [0091.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x870fd28 | out: lpFindFileData=0x870fd28) returned 0x10804cc8 [0092.219] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.219] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x870fd28 | out: lpFindFileData=0x870fd28) returned 1 [0092.219] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.219] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.219] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x870fd28 | out: lpFindFileData=0x870fd28) returned 0 [0092.219] FindClose (in: hFindFile=0x10804cc8 | out: hFindFile=0x10804cc8) returned 1 Thread: id = 385 os_tid = 0xb38 [0091.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*", lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 0x2c9ec48 [0093.425] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.425] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.499] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.499] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.499] lstrcmpW (lpString1=".", lpString2="AsimovUploader") returned -1 [0093.499] lstrcmpW (lpString1="..", lpString2="AsimovUploader") returned -1 [0093.499] lstrcmpiW (lpString1="windows", lpString2="AsimovUploader") returned 1 [0093.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.499] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="AsimovUploader" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader" [0093.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*" [0093.499] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.500] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c88cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.500] CloseHandle (hObject=0x644) returned 1 [0093.500] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.500] lstrcmpW (lpString1=".", lpString2="DownloadedScenarios") returned -1 [0093.500] lstrcmpW (lpString1="..", lpString2="DownloadedScenarios") returned -1 [0093.500] lstrcmpiW (lpString1="windows", lpString2="DownloadedScenarios") returned 1 [0093.500] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.500] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.500] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="DownloadedScenarios" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios" [0093.501] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" [0093.501] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.501] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f3e590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.501] CloseHandle (hObject=0x644) returned 1 [0093.501] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.501] lstrcmpW (lpString1=".", lpString2="DownloadedSettings") returned -1 [0093.501] lstrcmpW (lpString1="..", lpString2="DownloadedSettings") returned -1 [0093.502] lstrcmpiW (lpString1="windows", lpString2="DownloadedSettings") returned 1 [0093.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.506] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="DownloadedSettings" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings" [0093.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" [0093.506] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.507] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20d780b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.507] CloseHandle (hObject=0x644) returned 1 [0093.507] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.507] lstrcmpW (lpString1=".", lpString2="ETLLogs") returned -1 [0093.507] lstrcmpW (lpString1="..", lpString2="ETLLogs") returned -1 [0093.507] lstrcmpiW (lpString1="windows", lpString2="ETLLogs") returned 1 [0093.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.578] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.578] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="ETLLogs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs" [0093.578] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*" [0093.578] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.578] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20d90118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.578] CloseHandle (hObject=0x644) returned 1 [0093.578] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.581] lstrcpyW (in: lpString1=0x675f90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.581] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.581] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.581] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.582] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="events00.rbs") returned 1 [0093.582] lstrlenW (lpString="events00.rbs") returned 12 [0093.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.582] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.582] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="events00.rbs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs" [0093.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs" [0093.582] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs id-Br3n0G72wUb8CejT.LyaS" [0093.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events00.rbs"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events00.rbs id-br3n0g72wub8cejt.lyas")) returned 0 [0093.582] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.582] lstrcpyW (in: lpString1=0x675f90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.582] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.582] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.583] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="events01.rbs") returned 1 [0093.583] lstrlenW (lpString="events01.rbs") returned 12 [0093.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.583] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.583] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="events01.rbs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs" [0093.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs" [0093.583] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs id-Br3n0G72wUb8CejT.LyaS" [0093.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events01.rbs"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events01.rbs id-br3n0g72wub8cejt.lyas")) returned 0 [0093.583] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.583] lstrcpyW (in: lpString1=0x675f90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.583] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.583] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.583] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.583] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="events10.rbs") returned 1 [0093.583] lstrlenW (lpString="events10.rbs") returned 12 [0093.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.584] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.584] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="events10.rbs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs" [0093.584] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs" [0093.584] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs id-Br3n0G72wUb8CejT.LyaS" [0093.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events10.rbs"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events10.rbs id-br3n0g72wub8cejt.lyas")) returned 0 [0093.584] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.584] lstrcpyW (in: lpString1=0x675f90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.584] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.584] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.584] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.584] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="events11.rbs") returned 1 [0093.584] lstrlenW (lpString="events11.rbs") returned 12 [0093.584] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.584] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.584] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="events11.rbs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs" [0093.584] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs" [0093.585] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs id-Br3n0G72wUb8CejT.LyaS" [0093.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events11.rbs"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events11.rbs id-br3n0g72wub8cejt.lyas")) returned 0 [0093.585] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.585] lstrcpyW (in: lpString1=0x675f90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.585] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.585] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.585] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.585] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0093.585] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.585] lstrcmpW (lpString1=".", lpString2="LocalTraceStore") returned -1 [0093.585] lstrcmpW (lpString1="..", lpString2="LocalTraceStore") returned -1 [0093.585] lstrcmpiW (lpString1="windows", lpString2="LocalTraceStore") returned 1 [0093.591] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.591] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.591] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="LocalTraceStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore" [0093.591] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*" [0093.591] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.591] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20da8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.592] CloseHandle (hObject=0x644) returned 1 [0093.592] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.592] lstrcpyW (in: lpString1=0x675f90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.592] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" [0093.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\how to restore files.hta")) returned 0x1 [0093.592] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="parse.dat") returned -1 [0093.592] lstrlenW (lpString="parse.dat") returned 9 [0093.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.592] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="parse.dat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat" [0093.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat" [0093.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat id-Br3n0G72wUb8CejT.LyaS" [0093.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\parse.dat"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\parse.dat id-br3n0g72wub8cejt.lyas")) returned 0 [0093.593] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.593] lstrcmpW (lpString1=".", lpString2="Sideload") returned -1 [0093.593] lstrcmpW (lpString1="..", lpString2="Sideload") returned -1 [0093.593] lstrcmpiW (lpString1="windows", lpString2="Sideload") returned 1 [0093.597] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.597] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.597] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="Sideload" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload" [0093.597] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*" [0093.597] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.597] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20dc01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.598] CloseHandle (hObject=0x644) returned 1 [0093.598] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.598] lstrcmpW (lpString1=".", lpString2="Siufloc") returned -1 [0093.598] lstrcmpW (lpString1="..", lpString2="Siufloc") returned -1 [0093.598] lstrcmpiW (lpString1="windows", lpString2="Siufloc") returned 1 [0093.602] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.602] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.602] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="Siufloc" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc" [0093.602] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*" [0093.602] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.602] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20dd8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.605] CloseHandle (hObject=0x644) returned 1 [0093.605] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.605] lstrcmpW (lpString1=".", lpString2="SoftLanding") returned -1 [0093.605] lstrcmpW (lpString1="..", lpString2="SoftLanding") returned -1 [0093.605] lstrcmpiW (lpString1="windows", lpString2="SoftLanding") returned 1 [0093.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.609] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="SoftLanding" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding" [0093.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*" [0093.609] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20df02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.610] CloseHandle (hObject=0x644) returned 1 [0093.610] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 1 [0093.610] lstrcmpW (lpString1=".", lpString2="SoftLandingStage") returned -1 [0093.610] lstrcmpW (lpString1="..", lpString2="SoftLandingStage") returned -1 [0093.610] lstrcmpiW (lpString1="windows", lpString2="SoftLandingStage") returned 1 [0093.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" [0093.613] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 46 [0093.613] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="SoftLandingStage" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage" [0093.613] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*" [0093.614] GlobalMemoryStatus (in: lpBuffer=0x1b45fd08 | out: lpBuffer=0x1b45fd08) [0093.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20e08320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0093.614] CloseHandle (hObject=0x644) returned 1 [0093.614] FindNextFileW (in: hFindFile=0x2c9ec48, lpFindFileData=0x1b45fd28 | out: lpFindFileData=0x1b45fd28) returned 0 [0093.615] FindClose (in: hFindFile=0x2c9ec48 | out: hFindFile=0x2c9ec48) returned 1 Thread: id = 386 os_tid = 0x408 [0091.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*", lpFindFileData=0x1b59fd28 | out: lpFindFileData=0x1b59fd28) returned 0x2c9e688 [0093.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.400] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x1b59fd28 | out: lpFindFileData=0x1b59fd28) returned 1 [0093.400] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.400] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x1b59fd28 | out: lpFindFileData=0x1b59fd28) returned 1 [0093.400] lstrcmpW (lpString1=".", lpString2="Server") returned -1 [0093.400] lstrcmpW (lpString1="..", lpString2="Server") returned -1 [0093.400] lstrcmpiW (lpString1="windows", lpString2="Server") returned 1 [0093.791] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*" [0093.791] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned 40 [0093.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\", lpString2="Server" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server" [0093.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*" [0093.791] GlobalMemoryStatus (in: lpBuffer=0x1b59fd08 | out: lpBuffer=0x1b59fd08) [0093.791] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1102e9a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x628 [0093.792] CloseHandle (hObject=0x628) returned 1 [0093.792] FindNextFileW (in: hFindFile=0x2c9e688, lpFindFileData=0x1b59fd28 | out: lpFindFileData=0x1b59fd28) returned 0 [0093.792] FindClose (in: hFindFile=0x2c9e688 | out: hFindFile=0x2c9e688) returned 1 Thread: id = 387 os_tid = 0xf78 [0091.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x1b6dfd28 | out: lpFindFileData=0x1b6dfd28) returned 0x2c9e6c8 [0093.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.400] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1b6dfd28 | out: lpFindFileData=0x1b6dfd28) returned 1 [0093.400] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.400] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1b6dfd28 | out: lpFindFileData=0x1b6dfd28) returned 1 [0093.400] lstrcmpW (lpString1=".", lpString2="Views") returned -1 [0093.400] lstrcmpW (lpString1="..", lpString2="Views") returned -1 [0093.400] lstrcmpiW (lpString1="windows", lpString2="Views") returned 1 [0093.789] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*" [0093.789] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*") returned 49 [0093.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\", lpString2="Views" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views" [0093.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*" [0093.789] GlobalMemoryStatus (in: lpBuffer=0x1b6dfd08 | out: lpBuffer=0x1b6dfd08) [0093.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11046a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x62c [0093.790] CloseHandle (hObject=0x62c) returned 1 [0093.790] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x1b6dfd28 | out: lpFindFileData=0x1b6dfd28) returned 0 [0093.791] FindClose (in: hFindFile=0x2c9e6c8 | out: hFindFile=0x2c9e6c8) returned 1 Thread: id = 388 os_tid = 0x524 [0091.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*", lpFindFileData=0x1b81fd28 | out: lpFindFileData=0x1b81fd28) returned 0x2c9ef08 [0093.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.400] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x1b81fd28 | out: lpFindFileData=0x1b81fd28) returned 1 [0093.401] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0093.401] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.401] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x1b81fd28 | out: lpFindFileData=0x1b81fd28) returned 1 [0093.401] lstrcmpW (lpString1=".", lpString2="INT") returned -1 [0093.401] lstrcmpW (lpString1="..", lpString2="INT") returned -1 [0093.401] lstrcmpiW (lpString1="windows", lpString2="INT") returned 1 [0093.784] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0093.784] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned 48 [0093.784] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="INT" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT" [0093.784] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*" [0093.784] GlobalMemoryStatus (in: lpBuffer=0x1b81fd08 | out: lpBuffer=0x1b81fd08) [0093.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x210905b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x630 [0093.785] CloseHandle (hObject=0x630) returned 1 [0093.785] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x1b81fd28 | out: lpFindFileData=0x1b81fd28) returned 1 [0093.785] lstrcmpW (lpString1=".", lpString2="production") returned -1 [0093.785] lstrcmpW (lpString1="..", lpString2="production") returned -1 [0093.785] lstrcmpiW (lpString1="windows", lpString2="production") returned 1 [0093.788] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0093.788] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned 48 [0093.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="production" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production" [0093.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" [0093.788] GlobalMemoryStatus (in: lpBuffer=0x1b81fd08 | out: lpBuffer=0x1b81fd08) [0093.788] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x210a8618, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x630 [0093.789] CloseHandle (hObject=0x630) returned 1 [0093.789] FindNextFileW (in: hFindFile=0x2c9ef08, lpFindFileData=0x1b81fd28 | out: lpFindFileData=0x1b81fd28) returned 0 [0093.789] FindClose (in: hFindFile=0x2c9ef08 | out: hFindFile=0x2c9ef08) returned 1 Thread: id = 389 os_tid = 0xc0c [0091.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\*.*", lpFindFileData=0x1b95fd28 | out: lpFindFileData=0x1b95fd28) returned 0x10804cc8 [0092.220] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.220] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1b95fd28 | out: lpFindFileData=0x1b95fd28) returned 1 [0092.220] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.220] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.220] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1b95fd28 | out: lpFindFileData=0x1b95fd28) returned 0 [0092.220] FindClose (in: hFindFile=0x10804cc8 | out: hFindFile=0x10804cc8) returned 1 Thread: id = 390 os_tid = 0xc60 [0091.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*", lpFindFileData=0x1ba9fd28 | out: lpFindFileData=0x1ba9fd28) returned 0x10804cc8 [0092.221] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.221] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1ba9fd28 | out: lpFindFileData=0x1ba9fd28) returned 1 [0092.221] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.221] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1ba9fd28 | out: lpFindFileData=0x1ba9fd28) returned 1 [0092.221] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0092.221] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 39 [0092.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta" [0092.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\mf\\how to restore files.hta")) returned 0x1 [0092.221] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Active.GRL id-Br3n0G72wUb8CejT.LyaS") returned 1 [0092.221] lstrlenW (lpString="Active.GRL id-Br3n0G72wUb8CejT.LyaS") returned 35 [0092.221] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0092.221] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1ba9fd28 | out: lpFindFileData=0x1ba9fd28) returned 1 [0092.221] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0092.221] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 39 [0092.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta" [0092.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\mf\\how to restore files.hta")) returned 0x1 [0092.221] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0092.221] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1ba9fd28 | out: lpFindFileData=0x1ba9fd28) returned 1 [0092.221] lstrcpyW (in: lpString1=0x3ec5e90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0092.221] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 39 [0092.222] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta" [0092.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\mf\\how to restore files.hta")) returned 0x1 [0092.222] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="Pending.GRL id-Br3n0G72wUb8CejT.LyaS") returned -1 [0092.222] lstrlenW (lpString="Pending.GRL id-Br3n0G72wUb8CejT.LyaS") returned 36 [0092.222] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0092.222] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1ba9fd28 | out: lpFindFileData=0x1ba9fd28) returned 0 [0092.222] FindClose (in: hFindFile=0x10804cc8 | out: hFindFile=0x10804cc8) returned 1 Thread: id = 391 os_tid = 0x900 [0091.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*", lpFindFileData=0x1bbdfd28 | out: lpFindFileData=0x1bbdfd28) returned 0x10804cc8 [0092.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.222] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1bbdfd28 | out: lpFindFileData=0x1bbdfd28) returned 1 [0092.222] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.222] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.222] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1bbdfd28 | out: lpFindFileData=0x1bbdfd28) returned 1 [0092.222] lstrcmpW (lpString1=".", lpString2="BreadcrumbStore") returned -1 [0092.222] lstrcmpW (lpString1="..", lpString2="BreadcrumbStore") returned -1 [0092.222] lstrcmpiW (lpString1="windows", lpString2="BreadcrumbStore") returned 1 [0092.222] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" [0092.222] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned 49 [0092.222] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\", lpString2="BreadcrumbStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" [0092.223] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*" [0092.223] GlobalMemoryStatus (in: lpBuffer=0x1bbdfd08 | out: lpBuffer=0x1bbdfd08) [0092.223] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d40f08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0092.223] CloseHandle (hObject=0x42c) returned 1 [0092.223] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1bbdfd28 | out: lpFindFileData=0x1bbdfd28) returned 0 [0092.223] FindClose (in: hFindFile=0x10804cc8 | out: hFindFile=0x10804cc8) returned 1 Thread: id = 392 os_tid = 0xcc4 [0091.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*", lpFindFileData=0x1bd1fd28 | out: lpFindFileData=0x1bd1fd28) returned 0x10804cc8 [0092.224] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.224] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1bd1fd28 | out: lpFindFileData=0x1bd1fd28) returned 1 [0092.224] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.224] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.224] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1bd1fd28 | out: lpFindFileData=0x1bd1fd28) returned 1 [0092.224] lstrcmpW (lpString1=".", lpString2="Connections") returned -1 [0092.224] lstrcmpW (lpString1="..", lpString2="Connections") returned -1 [0092.224] lstrcmpiW (lpString1="windows", lpString2="Connections") returned 1 [0092.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" [0092.224] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned 44 [0092.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections" [0092.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*" [0092.224] GlobalMemoryStatus (in: lpBuffer=0x1bd1fd08 | out: lpBuffer=0x1bd1fd08) [0092.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e48070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0092.225] CloseHandle (hObject=0x42c) returned 1 [0092.225] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1bd1fd28 | out: lpFindFileData=0x1bd1fd28) returned 1 [0092.225] lstrcmpW (lpString1=".", lpString2="Downloader") returned -1 [0092.225] lstrcmpW (lpString1="..", lpString2="Downloader") returned -1 [0092.225] lstrcmpiW (lpString1="windows", lpString2="Downloader") returned 1 [0092.225] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" [0092.225] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned 44 [0092.225] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="Downloader" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader" [0092.225] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0092.225] GlobalMemoryStatus (in: lpBuffer=0x1bd1fd08 | out: lpBuffer=0x1bd1fd08) [0092.225] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a202b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0092.226] CloseHandle (hObject=0x42c) returned 1 [0092.226] FindNextFileW (in: hFindFile=0x10804cc8, lpFindFileData=0x1bd1fd28 | out: lpFindFileData=0x1bd1fd28) returned 0 [0092.226] FindClose (in: hFindFile=0x10804cc8 | out: hFindFile=0x10804cc8) returned 1 Thread: id = 393 os_tid = 0x2f4 [0092.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*", lpFindFileData=0x1be5fd28 | out: lpFindFileData=0x1be5fd28) returned 0x10804f08 [0092.377] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.377] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0x1be5fd28 | out: lpFindFileData=0x1be5fd28) returned 1 [0092.377] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0092.377] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.377] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0x1be5fd28 | out: lpFindFileData=0x1be5fd28) returned 1 [0092.377] lstrcpyW (in: lpString1=0x8f31d90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*" [0092.377] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned 43 [0092.377] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\How To Restore Files.hta" [0092.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\office\\how to restore files.hta")) returned 0x20 [0092.379] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0x1be5fd28 | out: lpFindFileData=0x1be5fd28) returned 1 [0092.379] lstrcpyW (in: lpString1=0x8f31d90, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*" [0092.380] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned 43 [0092.380] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\How To Restore Files.hta" [0092.380] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\office\\how to restore files.hta")) returned 0x20 [0092.380] FindNextFileW (in: hFindFile=0x10804f08, lpFindFileData=0x1be5fd28 | out: lpFindFileData=0x1be5fd28) returned 0 [0092.380] FindClose (in: hFindFile=0x10804f08 | out: hFindFile=0x10804f08) returned 1 Thread: id = 394 os_tid = 0xc5c [0098.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*", lpFindFileData=0x1bf5fd28 | out: lpFindFileData=0x1bf5fd28) returned 0x5c8b50 [0098.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.295] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x1bf5fd28 | out: lpFindFileData=0x1bf5fd28) returned 1 [0098.295] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.295] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x1bf5fd28 | out: lpFindFileData=0x1bf5fd28) returned 1 [0098.295] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*" [0098.295] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned 51 [0098.295] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\How To Restore Files.hta" [0098.295] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\how to restore files.hta")) returned 0x1 [0098.295] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0098.295] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x1bf5fd28 | out: lpFindFileData=0x1bf5fd28) returned 1 [0098.295] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*" [0098.295] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned 51 [0098.295] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\How To Restore Files.hta" [0098.295] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\how to restore files.hta")) returned 0x1 [0098.295] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x1bf5fd28 | out: lpFindFileData=0x1bf5fd28) returned 0 [0098.295] FindClose (in: hFindFile=0x5c8b50 | out: hFindFile=0x5c8b50) returned 1 Thread: id = 395 os_tid = 0x2e8 [0098.296] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*", lpFindFileData=0x1c05fd28 | out: lpFindFileData=0x1c05fd28) returned 0x5c8b50 [0098.297] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.297] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x1c05fd28 | out: lpFindFileData=0x1c05fd28) returned 1 [0098.297] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.297] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.297] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x1c05fd28 | out: lpFindFileData=0x1c05fd28) returned 1 [0098.297] lstrcmpW (lpString1=".", lpString2="AppInfoDocument") returned -1 [0098.297] lstrcmpW (lpString1="..", lpString2="AppInfoDocument") returned -1 [0098.297] lstrcmpiW (lpString1="windows", lpString2="AppInfoDocument") returned 1 [0098.297] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*" [0098.297] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*") returned 65 [0098.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\", lpString2="AppInfoDocument" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\AppInfoDocument") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\AppInfoDocument" [0098.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\AppInfoDocument", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\AppInfoDocument\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\AppInfoDocument\\*.*" [0098.297] GlobalMemoryStatus (in: lpBuffer=0x1c05fd08 | out: lpBuffer=0x1c05fd08) [0098.297] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x110eece0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0098.298] CloseHandle (hObject=0x5f0) returned 1 [0098.298] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x1c05fd28 | out: lpFindFileData=0x1c05fd28) returned 1 [0098.298] lstrcmpW (lpString1=".", lpString2="Pipeline.v10.0") returned -1 [0098.298] lstrcmpW (lpString1="..", lpString2="Pipeline.v10.0") returned -1 [0098.298] lstrcmpiW (lpString1="windows", lpString2="Pipeline.v10.0") returned 1 [0098.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*" [0098.298] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*") returned 65 [0098.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\", lpString2="Pipeline.v10.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0" [0098.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" [0098.298] GlobalMemoryStatus (in: lpBuffer=0x1c05fd08 | out: lpBuffer=0x1c05fd08) [0098.298] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c21820, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0098.299] CloseHandle (hObject=0x5f0) returned 1 [0098.299] FindNextFileW (in: hFindFile=0x5c8b50, lpFindFileData=0x1c05fd28 | out: lpFindFileData=0x1c05fd28) returned 1 [0098.299] lstrcpyW (in: lpString1=0x10d8de40, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*" [0098.299] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\*.*") returned 65 [0098.299] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\How To Restore Files.hta" [0098.299] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\how to restore files.hta")) returned 0xffffffff [0098.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 396 os_tid = 0xd0 [0098.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*", lpFindFileData=0x1c19fd28 | out: lpFindFileData=0x1c19fd28) returned 0x5c8c10 [0098.307] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.307] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x1c19fd28 | out: lpFindFileData=0x1c19fd28) returned 1 [0098.308] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.308] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.308] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x1c19fd28 | out: lpFindFileData=0x1c19fd28) returned 1 [0098.308] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0098.308] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0098.308] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0098.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*" [0098.308] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned 65 [0098.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0" [0098.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*" [0098.308] GlobalMemoryStatus (in: lpBuffer=0x1c19fd08 | out: lpBuffer=0x1c19fd08) [0098.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10998d28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x480 [0098.309] CloseHandle (hObject=0x480) returned 1 [0098.309] FindNextFileW (in: hFindFile=0x5c8c10, lpFindFileData=0x1c19fd28 | out: lpFindFileData=0x1c19fd28) returned 1 [0098.313] lstrcpyW (in: lpString1=0x20f60510, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*" [0098.313] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned 65 [0098.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\How To Restore Files.hta" [0098.313] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\how to restore files.hta")) returned 0xffffffff [0098.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 397 os_tid = 0xa10 [0098.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*", lpFindFileData=0x1c2dfd28 | out: lpFindFileData=0x1c2dfd28) returned 0x5c8b90 [0098.302] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.302] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x1c2dfd28 | out: lpFindFileData=0x1c2dfd28) returned 1 [0098.302] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.302] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.302] FindNextFileW (in: hFindFile=0x5c8b90, lpFindFileData=0x1c2dfd28 | out: lpFindFileData=0x1c2dfd28) returned 1 [0098.305] lstrcpyW (in: lpString1=0x20f38500, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*" [0098.305] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*") returned 50 [0098.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\How To Restore Files.hta" [0098.305] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\en-us\\how to restore files.hta")) returned 0xffffffff [0098.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 398 os_tid = 0x648 [0098.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*", lpFindFileData=0x1c41fd28 | out: lpFindFileData=0x1c41fd28) returned 0x5c8750 [0098.330] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.330] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x1c41fd28 | out: lpFindFileData=0x1c41fd28) returned 1 [0098.330] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.330] FindNextFileW (in: hFindFile=0x5c8750, lpFindFileData=0x1c41fd28 | out: lpFindFileData=0x1c41fd28) returned 1 [0098.334] lstrcpyW (in: lpString1=0x20fd8540, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0098.334] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0098.334] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\How To Restore Files.hta" [0098.334] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\how to restore files.hta")) returned 0xffffffff [0098.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 399 os_tid = 0xa34 [0098.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*", lpFindFileData=0x1c55fd28 | out: lpFindFileData=0x1c55fd28) returned 0x5c8c50 [0098.314] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.314] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x1c55fd28 | out: lpFindFileData=0x1c55fd28) returned 1 [0098.314] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.314] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.314] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x1c55fd28 | out: lpFindFileData=0x1c55fd28) returned 1 [0098.314] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0098.314] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0098.314] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0098.319] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0098.319] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0098.319] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US" [0098.319] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0098.319] GlobalMemoryStatus (in: lpBuffer=0x1c55fd08 | out: lpBuffer=0x1c55fd08) [0098.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x216c1fe0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4fc [0098.320] CloseHandle (hObject=0x4fc) returned 1 [0098.320] FindNextFileW (in: hFindFile=0x5c8c50, lpFindFileData=0x1c55fd28 | out: lpFindFileData=0x1c55fd28) returned 1 [0098.324] lstrcpyW (in: lpString1=0x20f88520, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0098.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0098.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0098.324] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\how to restore files.hta")) returned 0xffffffff [0098.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 400 os_tid = 0xbf8 [0098.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\*.*", lpFindFileData=0x1c69fd28 | out: lpFindFileData=0x1c69fd28) returned 0x5c8510 [0098.325] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.325] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x1c69fd28 | out: lpFindFileData=0x1c69fd28) returned 1 [0098.325] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.325] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.325] FindNextFileW (in: hFindFile=0x5c8510, lpFindFileData=0x1c69fd28 | out: lpFindFileData=0x1c69fd28) returned 1 [0098.329] lstrcpyW (in: lpString1=0x20fb0530, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\*.*" [0098.329] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\*.*") returned 50 [0098.329] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\How To Restore Files.hta" [0098.329] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\office16\\how to restore files.hta")) returned 0xffffffff [0098.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office16\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\office16\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 401 os_tid = 0x564 [0098.335] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\*.*", lpFindFileData=0x1c7dfd28 | out: lpFindFileData=0x1c7dfd28) returned 0x5c9290 [0098.389] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.389] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0x1c7dfd28 | out: lpFindFileData=0x1c7dfd28) returned 1 [0098.435] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.435] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.435] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0x1c7dfd28 | out: lpFindFileData=0x1c7dfd28) returned 1 [0098.439] lstrcpyW (in: lpString1=0x8b38c90, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\*.*" [0098.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\*.*") returned 58 [0098.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\How To Restore Files.hta" [0098.439] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\how to restore files.hta")) returned 0xffffffff [0098.439] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\PackageManifests\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 402 os_tid = 0xb24 [0098.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*", lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 0x5c9250 [0098.337] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.337] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0098.337] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.337] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0098.337] lstrcmpW (lpString1=".", lpString2="client") returned -1 [0098.337] lstrcmpW (lpString1="..", lpString2="client") returned -1 [0098.337] lstrcmpiW (lpString1="windows", lpString2="client") returned 1 [0098.343] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0098.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0098.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="client" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client" [0098.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\*.*" [0098.343] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0098.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x216da048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0098.345] CloseHandle (hObject=0x398) returned 1 [0098.345] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0098.345] lstrcmpW (lpString1=".", lpString2="CLIPART") returned -1 [0098.345] lstrcmpW (lpString1="..", lpString2="CLIPART") returned -1 [0098.345] lstrcmpiW (lpString1="windows", lpString2="CLIPART") returned 1 [0098.350] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0098.350] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0098.350] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="CLIPART" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART" [0098.350] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*" [0098.350] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0098.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x216f20b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0098.351] CloseHandle (hObject=0x398) returned 1 [0098.351] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0098.351] lstrcmpW (lpString1=".", lpString2="Document Themes 16") returned -1 [0098.351] lstrcmpW (lpString1="..", lpString2="Document Themes 16") returned -1 [0098.351] lstrcmpiW (lpString1="windows", lpString2="Document Themes 16") returned 1 [0098.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0098.357] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0098.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Document Themes 16" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16" [0098.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\*.*" [0098.357] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0098.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2170a118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0098.357] CloseHandle (hObject=0x398) returned 1 [0098.357] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0098.358] lstrcmpW (lpString1=".", lpString2="Flattener") returned -1 [0098.358] lstrcmpW (lpString1="..", lpString2="Flattener") returned -1 [0098.358] lstrcmpiW (lpString1="windows", lpString2="Flattener") returned 1 [0098.362] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0098.362] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0098.362] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Flattener" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener" [0098.362] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*" [0098.362] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0098.363] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21722180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0098.363] CloseHandle (hObject=0x398) returned 1 [0098.363] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0098.363] lstrcmpW (lpString1=".", lpString2="fre") returned -1 [0098.363] lstrcmpW (lpString1="..", lpString2="fre") returned -1 [0098.363] lstrcmpiW (lpString1="windows", lpString2="fre") returned 1 [0098.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0098.368] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0098.368] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="fre" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\fre") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\fre" [0098.368] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\fre", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\fre\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\fre\\*.*" [0098.368] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0098.369] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2173a1e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x570 [0099.208] CloseHandle (hObject=0x570) returned 1 [0099.208] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.208] lstrcmpW (lpString1=".", lpString2="Integration") returned -1 [0099.208] lstrcmpW (lpString1="..", lpString2="Integration") returned -1 [0099.208] lstrcmpiW (lpString1="windows", lpString2="Integration") returned 1 [0099.264] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.264] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Integration" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Integration") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Integration" [0099.264] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Integration", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Integration\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Integration\\*.*" [0099.264] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.264] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e78140, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.265] CloseHandle (hObject=0x588) returned 1 [0099.265] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.265] lstrcmpW (lpString1=".", lpString2="Licenses") returned -1 [0099.265] lstrcmpW (lpString1="..", lpString2="Licenses") returned -1 [0099.265] lstrcmpiW (lpString1="windows", lpString2="Licenses") returned 1 [0099.270] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.270] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Licenses" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses" [0099.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses\\*.*" [0099.271] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.271] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x218927a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.271] CloseHandle (hObject=0x588) returned 1 [0099.272] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.272] lstrcmpW (lpString1=".", lpString2="Licenses16") returned -1 [0099.272] lstrcmpW (lpString1="..", lpString2="Licenses16") returned -1 [0099.272] lstrcmpiW (lpString1="windows", lpString2="Licenses16") returned 1 [0099.278] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.278] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.278] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Licenses16" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses16") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses16" [0099.278] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses16\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Licenses16\\*.*" [0099.278] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.278] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x218aa808, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.279] CloseHandle (hObject=0x588) returned 1 [0099.279] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.279] lstrcmpW (lpString1=".", lpString2="loc") returned -1 [0099.279] lstrcmpW (lpString1="..", lpString2="loc") returned -1 [0099.279] lstrcmpiW (lpString1="windows", lpString2="loc") returned 1 [0099.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="loc" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\loc") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\loc" [0099.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\loc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\loc\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\loc\\*.*" [0099.284] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x218c2870, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.285] CloseHandle (hObject=0x588) returned 1 [0099.285] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.285] lstrcmpW (lpString1=".", lpString2="mcxml") returned -1 [0099.285] lstrcmpW (lpString1="..", lpString2="mcxml") returned -1 [0099.285] lstrcmpiW (lpString1="windows", lpString2="mcxml") returned 1 [0099.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="mcxml" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\mcxml") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\mcxml" [0099.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\mcxml", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\mcxml\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\mcxml\\*.*" [0099.291] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.291] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x218da8d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.291] CloseHandle (hObject=0x588) returned 1 [0099.292] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.292] lstrcmpW (lpString1=".", lpString2="Office15") returned -1 [0099.292] lstrcmpW (lpString1="..", lpString2="Office15") returned -1 [0099.292] lstrcmpiW (lpString1="windows", lpString2="Office15") returned 1 [0099.297] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Office15" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office15") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office15" [0099.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office15", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office15\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office15\\*.*" [0099.297] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.297] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x218f2940, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.298] CloseHandle (hObject=0x588) returned 1 [0099.298] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.298] lstrcmpW (lpString1=".", lpString2="Office16") returned -1 [0099.298] lstrcmpW (lpString1="..", lpString2="Office16") returned -1 [0099.298] lstrcmpiW (lpString1="windows", lpString2="Office16") returned 1 [0099.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Office16" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16" [0099.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Office16\\*.*" [0099.302] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2190a9a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.303] CloseHandle (hObject=0x588) returned 1 [0099.303] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.303] lstrcmpW (lpString1=".", lpString2="rsod") returned -1 [0099.303] lstrcmpW (lpString1="..", lpString2="rsod") returned -1 [0099.303] lstrcmpiW (lpString1="windows", lpString2="rsod") returned 1 [0099.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="rsod" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\rsod") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\rsod" [0099.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\rsod", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\rsod\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\rsod\\*.*" [0099.308] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21922a10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.309] CloseHandle (hObject=0x588) returned 1 [0099.309] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.309] lstrcmpW (lpString1=".", lpString2="Stationery") returned -1 [0099.309] lstrcmpW (lpString1="..", lpString2="Stationery") returned -1 [0099.309] lstrcmpiW (lpString1="windows", lpString2="Stationery") returned 1 [0099.313] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.313] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Stationery" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Stationery") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Stationery" [0099.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Stationery", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Stationery\\*.*" [0099.313] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2193aa78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.314] CloseHandle (hObject=0x588) returned 1 [0099.314] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.314] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0099.314] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0099.314] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0099.318] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.318] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Templates") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Templates" [0099.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Templates\\*.*" [0099.318] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21952ae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.319] CloseHandle (hObject=0x588) returned 1 [0099.319] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 1 [0099.319] lstrcmpW (lpString1=".", lpString2="VFS") returned -1 [0099.319] lstrcmpW (lpString1="..", lpString2="VFS") returned -1 [0099.319] lstrcmpiW (lpString1="windows", lpString2="VFS") returned 1 [0099.324] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*" [0099.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\*.*") returned 46 [0099.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\", lpString2="VFS" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\VFS") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\VFS" [0099.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\VFS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\VFS\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\VFS\\*.*" [0099.324] GlobalMemoryStatus (in: lpBuffer=0x1c91fd08 | out: lpBuffer=0x1c91fd08) [0099.324] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2196ab48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x588 [0099.325] CloseHandle (hObject=0x588) returned 1 [0099.325] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1c91fd28 | out: lpFindFileData=0x1c91fd28) returned 0 [0099.325] FindClose (in: hFindFile=0x5c9250 | out: hFindFile=0x5c9250) returned 1 Thread: id = 403 os_tid = 0x98c [0098.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*", lpFindFileData=0x1ca5fd28 | out: lpFindFileData=0x1ca5fd28) returned 0x5c9290 [0098.370] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.370] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0x1ca5fd28 | out: lpFindFileData=0x1ca5fd28) returned 1 [0098.370] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.370] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.370] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0x1ca5fd28 | out: lpFindFileData=0x1ca5fd28) returned 1 [0098.370] lstrcmpW (lpString1=".", lpString2="Apply") returned -1 [0098.370] lstrcmpW (lpString1="..", lpString2="Apply") returned -1 [0098.370] lstrcmpiW (lpString1="windows", lpString2="Apply") returned 1 [0098.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*" [0098.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*") returned 49 [0098.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\", lpString2="Apply" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply" [0098.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\*.*" [0098.374] GlobalMemoryStatus (in: lpBuffer=0x1ca5fd08 | out: lpBuffer=0x1ca5fd08) [0098.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21752250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0098.375] CloseHandle (hObject=0x524) returned 1 [0098.375] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0x1ca5fd28 | out: lpFindFileData=0x1ca5fd28) returned 1 [0098.375] lstrcmpW (lpString1=".", lpString2="Detection") returned -1 [0098.375] lstrcmpW (lpString1="..", lpString2="Detection") returned -1 [0098.375] lstrcmpiW (lpString1="windows", lpString2="Detection") returned 1 [0098.380] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*" [0098.380] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*") returned 49 [0098.380] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\", lpString2="Detection" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Detection") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Detection" [0098.380] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Detection", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Detection\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Detection\\*.*" [0098.380] GlobalMemoryStatus (in: lpBuffer=0x1ca5fd08 | out: lpBuffer=0x1ca5fd08) [0098.381] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2176a2b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0098.381] CloseHandle (hObject=0x524) returned 1 [0098.381] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0x1ca5fd28 | out: lpFindFileData=0x1ca5fd28) returned 1 [0098.381] lstrcmpW (lpString1=".", lpString2="Download") returned -1 [0098.381] lstrcmpW (lpString1="..", lpString2="Download") returned -1 [0098.381] lstrcmpiW (lpString1="windows", lpString2="Download") returned 1 [0098.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*" [0098.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\*.*") returned 49 [0098.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\", lpString2="Download" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Download") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Download" [0098.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Download", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Download\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Download\\*.*" [0098.387] GlobalMemoryStatus (in: lpBuffer=0x1ca5fd08 | out: lpBuffer=0x1ca5fd08) [0098.387] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21782320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0098.388] CloseHandle (hObject=0x524) returned 1 [0098.388] FindNextFileW (in: hFindFile=0x5c9290, lpFindFileData=0x1ca5fd28 | out: lpFindFileData=0x1ca5fd28) returned 0 [0098.388] FindClose (in: hFindFile=0x5c9290 | out: hFindFile=0x5c9290) returned 1 Thread: id = 404 os_tid = 0xd7c [0098.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*", lpFindFileData=0x1cb9fd28 | out: lpFindFileData=0x1cb9fd28) returned 0x2c9e4c8 [0099.236] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.236] FindNextFileW (in: hFindFile=0x2c9e4c8, lpFindFileData=0x1cb9fd28 | out: lpFindFileData=0x1cb9fd28) returned 1 [0099.236] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.236] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.236] FindNextFileW (in: hFindFile=0x2c9e4c8, lpFindFileData=0x1cb9fd28 | out: lpFindFileData=0x1cb9fd28) returned 1 [0099.240] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0099.240] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0099.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\How To Restore Files.hta" [0099.240] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\how to restore files.hta")) returned 0xffffffff [0099.240] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 405 os_tid = 0xf74 [0098.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*", lpFindFileData=0x1ccdfd28 | out: lpFindFileData=0x1ccdfd28) returned 0x5c9350 [0098.392] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.392] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0x1ccdfd28 | out: lpFindFileData=0x1ccdfd28) returned 1 [0098.392] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.393] FindNextFileW (in: hFindFile=0x5c9350, lpFindFileData=0x1ccdfd28 | out: lpFindFileData=0x1ccdfd28) returned 1 [0098.397] lstrcpyW (in: lpString1=0x5d70fd8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*" [0098.397] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*") returned 51 [0098.397] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\How To Restore Files.hta" [0098.397] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\skins\\how to restore files.hta")) returned 0xffffffff [0098.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\How To Restore Files.hta" (normalized: "c:\\program files\\windows media player\\skins\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 406 os_tid = 0xdc8 [0098.401] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations\\*.*", lpFindFileData=0x1ce1fd28 | out: lpFindFileData=0x1ce1fd28) returned 0x5c8d50 [0098.402] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.402] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x1ce1fd28 | out: lpFindFileData=0x1ce1fd28) returned 1 [0098.402] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.402] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.402] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x1ce1fd28 | out: lpFindFileData=0x1ce1fd28) returned 0 [0098.402] FindClose (in: hFindFile=0x5c8d50 | out: hFindFile=0x5c8d50) returned 1 Thread: id = 407 os_tid = 0xe28 [0098.749] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", lpFindFileData=0x32ffd28) Thread: id = 408 os_tid = 0xd6c [0098.403] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*", lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 0x5c8d50 [0098.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.403] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 1 [0098.404] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.404] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.404] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 1 [0098.404] lstrcmpW (lpString1=".", lpString2="Application") returned -1 [0098.404] lstrcmpW (lpString1="..", lpString2="Application") returned -1 [0098.404] lstrcmpiW (lpString1="windows", lpString2="Application") returned 1 [0098.404] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*" [0098.404] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*") returned 44 [0098.404] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\", lpString2="Application" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application" [0098.404] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0098.404] GlobalMemoryStatus (in: lpBuffer=0x37ffd08 | out: lpBuffer=0x37ffd08) [0098.404] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1114ee80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x538 [0098.405] CloseHandle (hObject=0x538) returned 1 [0098.405] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 0 [0098.405] FindClose (in: hFindFile=0x5c8d50 | out: hFindFile=0x5c8d50) returned 1 Thread: id = 409 os_tid = 0xce0 [0098.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports\\*.*", lpFindFileData=0x38ffd28 | out: lpFindFileData=0x38ffd28) returned 0x5c9010 [0098.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.440] FindNextFileW (in: hFindFile=0x5c9010, lpFindFileData=0x38ffd28 | out: lpFindFileData=0x38ffd28) returned 1 [0098.440] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.440] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.440] FindNextFileW (in: hFindFile=0x5c9010, lpFindFileData=0x38ffd28 | out: lpFindFileData=0x38ffd28) returned 0 [0098.440] FindClose (in: hFindFile=0x5c9010 | out: hFindFile=0x5c9010) returned 1 Thread: id = 410 os_tid = 0xcf0 [0098.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*", lpFindFileData=0x3a3fd28 | out: lpFindFileData=0x3a3fd28) returned 0x5c8d50 [0098.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.407] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x3a3fd28 | out: lpFindFileData=0x3a3fd28) returned 1 [0098.407] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.407] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.408] FindNextFileW (in: hFindFile=0x5c8d50, lpFindFileData=0x3a3fd28 | out: lpFindFileData=0x3a3fd28) returned 1 [0098.412] lstrcpyW (in: lpString1=0x3e1c358, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0098.412] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0098.412] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\How To Restore Files.hta" [0098.412] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\how to restore files.hta")) returned 0xffffffff [0098.412] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 411 os_tid = 0xcc8 [0098.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*", lpFindFileData=0x42bfd28 | out: lpFindFileData=0x42bfd28) returned 0x5c9010 [0098.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.442] FindNextFileW (in: hFindFile=0x5c9010, lpFindFileData=0x42bfd28 | out: lpFindFileData=0x42bfd28) returned 1 [0098.442] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.442] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.442] FindNextFileW (in: hFindFile=0x5c9010, lpFindFileData=0x42bfd28 | out: lpFindFileData=0x42bfd28) returned 1 [0098.447] lstrcpyW (in: lpString1=0x59b7c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0098.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned 71 [0098.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\How To Restore Files.hta" [0098.447] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\how to restore files.hta")) returned 0xffffffff [0098.447] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 412 os_tid = 0xccc [0098.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*", lpFindFileData=0x43bfd28 | out: lpFindFileData=0x43bfd28) returned 0x5c8e50 [0098.415] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.415] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x43bfd28 | out: lpFindFileData=0x43bfd28) returned 1 [0098.415] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.415] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.415] FindNextFileW (in: hFindFile=0x5c8e50, lpFindFileData=0x43bfd28 | out: lpFindFileData=0x43bfd28) returned 1 [0098.420] lstrcpyW (in: lpString1=0x5a88460, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" [0098.420] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned 55 [0098.420] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\How To Restore Files.hta" [0098.421] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\how to restore files.hta")) returned 0xffffffff [0098.421] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 413 os_tid = 0xd80 [0098.421] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\*.*", lpFindFileData=0x44ffd28) Thread: id = 414 os_tid = 0xd70 [0098.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*", lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 0x5c8f10 [0098.423] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.423] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 1 [0098.423] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.423] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.423] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 1 [0098.423] lstrcmpW (lpString1=".", lpString2="Windows Workflow Foundation") returned -1 [0098.423] lstrcmpW (lpString1="..", lpString2="Windows Workflow Foundation") returned -1 [0098.423] lstrcmpiW (lpString1="windows", lpString2="Windows Workflow Foundation") returned -1 [0098.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*" [0098.423] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*") returned 48 [0098.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\", lpString2="Windows Workflow Foundation" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation" [0098.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0098.423] GlobalMemoryStatus (in: lpBuffer=0x463fd08 | out: lpBuffer=0x463fd08) [0098.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ca12f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x470 [0098.424] CloseHandle (hObject=0x470) returned 1 [0098.424] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 0 [0098.424] FindClose (in: hFindFile=0x5c8f10 | out: hFindFile=0x5c8f10) returned 1 Thread: id = 415 os_tid = 0x150 [0098.425] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*", lpFindFileData=0x477fd28 | out: lpFindFileData=0x477fd28) returned 0x5c8f10 [0098.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.426] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x477fd28 | out: lpFindFileData=0x477fd28) returned 1 [0098.426] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.426] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.426] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x477fd28 | out: lpFindFileData=0x477fd28) returned 1 [0098.426] lstrcmpW (lpString1=".", lpString2="Framework") returned -1 [0098.426] lstrcmpW (lpString1="..", lpString2="Framework") returned -1 [0098.426] lstrcmpiW (lpString1="windows", lpString2="Framework") returned 1 [0098.426] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*" [0098.426] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*") returned 61 [0098.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\", lpString2="Framework" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework" [0098.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0098.426] GlobalMemoryStatus (in: lpBuffer=0x477fd08 | out: lpBuffer=0x477fd08) [0098.426] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11196fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x470 [0098.427] CloseHandle (hObject=0x470) returned 1 [0098.427] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x477fd28 | out: lpFindFileData=0x477fd28) returned 0 [0098.427] FindClose (in: hFindFile=0x5c8f10 | out: hFindFile=0x5c8f10) returned 1 Thread: id = 416 os_tid = 0xc24 [0098.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*", lpFindFileData=0x4a3fd28 | out: lpFindFileData=0x4a3fd28) returned 0x5c8f10 [0098.429] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.429] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x4a3fd28 | out: lpFindFileData=0x4a3fd28) returned 1 [0098.429] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.429] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.429] FindNextFileW (in: hFindFile=0x5c8f10, lpFindFileData=0x4a3fd28 | out: lpFindFileData=0x4a3fd28) returned 1 [0098.433] lstrcpyW (in: lpString1=0x8b18c20, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" [0098.433] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned 53 [0098.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\How To Restore Files.hta" [0098.433] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\how to restore files.hta")) returned 0xffffffff [0098.434] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 417 os_tid = 0xd20 [0098.441] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*", lpFindFileData=0x4cbfd28) Thread: id = 418 os_tid = 0x6b4 [0098.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons\\*.*", lpFindFileData=0x4dbfd28 | out: lpFindFileData=0x4dbfd28) returned 0x5c8e90 [0100.985] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.985] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x4dbfd28 | out: lpFindFileData=0x4dbfd28) returned 1 [0100.985] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.985] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.985] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x4dbfd28 | out: lpFindFileData=0x4dbfd28) returned 0 [0100.985] FindClose (in: hFindFile=0x5c8e90 | out: hFindFile=0x5c8e90) returned 1 Thread: id = 419 os_tid = 0xd64 [0098.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*", lpFindFileData=0x51cfd28 | out: lpFindFileData=0x51cfd28) returned 0x2c9e488 [0099.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.212] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x51cfd28 | out: lpFindFileData=0x51cfd28) returned 1 [0099.212] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.212] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x51cfd28 | out: lpFindFileData=0x51cfd28) returned 1 [0099.212] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0099.212] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0099.212] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0099.241] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0099.241] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned 53 [0099.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US" [0099.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*" [0099.241] GlobalMemoryStatus (in: lpBuffer=0x51cfd08 | out: lpBuffer=0x51cfd08) [0099.241] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x113db980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0099.242] CloseHandle (hObject=0x4d0) returned 1 [0099.242] FindNextFileW (in: hFindFile=0x2c9e488, lpFindFileData=0x51cfd28 | out: lpFindFileData=0x51cfd28) returned 1 [0099.242] lstrcpyW (in: lpString1=0x8d89648, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0099.242] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned 53 [0099.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\How To Restore Files.hta" [0099.242] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\how to restore files.hta")) returned 0xffffffff [0099.243] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 420 os_tid = 0xd58 [0098.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*", lpFindFileData=0x558fd28 | out: lpFindFileData=0x558fd28) returned 0x2c9e408 [0099.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.212] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x558fd28 | out: lpFindFileData=0x558fd28) returned 1 [0099.212] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.212] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x558fd28 | out: lpFindFileData=0x558fd28) returned 1 [0099.212] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0099.212] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0099.212] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0099.250] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0099.251] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0099.251] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US" [0099.251] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*" [0099.251] GlobalMemoryStatus (in: lpBuffer=0x558fd08 | out: lpBuffer=0x558fd08) [0099.251] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21872730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d0 [0099.251] CloseHandle (hObject=0x4d0) returned 1 [0099.252] FindNextFileW (in: hFindFile=0x2c9e408, lpFindFileData=0x558fd28 | out: lpFindFileData=0x558fd28) returned 1 [0099.252] lstrcpyW (in: lpString1=0x2188a798, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0099.252] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0099.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\How To Restore Files.hta" [0099.252] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\how to restore files.hta")) returned 0xffffffff [0099.252] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 421 os_tid = 0xd98 [0098.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*", lpFindFileData=0x594fd28 | out: lpFindFileData=0x594fd28) returned 0x10804d08 [0098.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.450] FindNextFileW (in: hFindFile=0x10804d08, lpFindFileData=0x594fd28 | out: lpFindFileData=0x594fd28) returned 1 [0098.450] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.450] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.450] FindNextFileW (in: hFindFile=0x10804d08, lpFindFileData=0x594fd28 | out: lpFindFileData=0x594fd28) returned 1 [0098.455] lstrcpyW (in: lpString1=0x9041e30, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0098.456] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned 57 [0098.456] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" [0098.456] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\how to restore files.hta")) returned 0xffffffff [0098.456] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 422 os_tid = 0xd60 [0098.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*", lpFindFileData=0x5e8fd28 | out: lpFindFileData=0x5e8fd28) returned 0x10804d48 [0098.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.457] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x5e8fd28 | out: lpFindFileData=0x5e8fd28) returned 1 [0098.457] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.457] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.457] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x5e8fd28 | out: lpFindFileData=0x5e8fd28) returned 0 [0098.457] FindClose (in: hFindFile=0x10804d48 | out: hFindFile=0x10804d48) returned 1 Thread: id = 423 os_tid = 0xdc0 [0098.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\*.*", lpFindFileData=0x5fcfd28 | out: lpFindFileData=0x5fcfd28) returned 0x10804d48 [0098.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.459] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x5fcfd28 | out: lpFindFileData=0x5fcfd28) returned 1 [0098.459] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.459] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x5fcfd28 | out: lpFindFileData=0x5fcfd28) returned 0 [0098.459] FindClose (in: hFindFile=0x10804d48 | out: hFindFile=0x10804d48) returned 1 Thread: id = 424 os_tid = 0xd34 [0098.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*", lpFindFileData=0x610fd28 | out: lpFindFileData=0x610fd28) returned 0x10804d48 [0098.461] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.461] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x610fd28 | out: lpFindFileData=0x610fd28) returned 1 [0098.461] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.461] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.461] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x610fd28 | out: lpFindFileData=0x610fd28) returned 1 [0098.461] lstrcmpW (lpString1=".", lpString2="Registration") returned -1 [0098.461] lstrcmpW (lpString1="..", lpString2="Registration") returned -1 [0098.461] lstrcmpiW (lpString1="windows", lpString2="Registration") returned 1 [0098.461] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*" [0098.461] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*") returned 62 [0098.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\", lpString2="Registration" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration" [0098.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\*.*" [0098.461] GlobalMemoryStatus (in: lpBuffer=0x610fd08 | out: lpBuffer=0x610fd08) [0098.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cb9360, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x574 [0098.462] CloseHandle (hObject=0x574) returned 1 [0098.462] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x610fd28 | out: lpFindFileData=0x610fd28) returned 1 [0098.462] lstrcmpW (lpString1=".", lpString2="Schema") returned -1 [0098.462] lstrcmpW (lpString1="..", lpString2="Schema") returned -1 [0098.462] lstrcmpiW (lpString1="windows", lpString2="Schema") returned 1 [0098.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*" [0098.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\*.*") returned 62 [0098.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\", lpString2="Schema" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema" [0098.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\*.*" [0098.463] GlobalMemoryStatus (in: lpBuffer=0x610fd08 | out: lpBuffer=0x610fd08) [0098.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d39508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x574 [0098.463] CloseHandle (hObject=0x574) returned 1 [0098.463] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0x610fd28 | out: lpFindFileData=0x610fd28) returned 0 [0098.463] FindClose (in: hFindFile=0x10804d48 | out: hFindFile=0x10804d48) returned 1 Thread: id = 425 os_tid = 0xd5c [0098.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*", lpFindFileData=0x638fd28 | out: lpFindFileData=0x638fd28) returned 0x108050c8 [0098.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.507] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x638fd28 | out: lpFindFileData=0x638fd28) returned 1 [0098.507] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.507] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x638fd28 | out: lpFindFileData=0x638fd28) returned 1 [0098.507] lstrcmpW (lpString1=".", lpString2="PackageManagement") returned -1 [0098.507] lstrcmpW (lpString1="..", lpString2="PackageManagement") returned -1 [0098.507] lstrcmpiW (lpString1="windows", lpString2="PackageManagement") returned 1 [0098.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*" [0098.508] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*") returned 56 [0098.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\", lpString2="PackageManagement" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement" [0098.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*.*" [0098.508] GlobalMemoryStatus (in: lpBuffer=0x638fd08 | out: lpBuffer=0x638fd08) [0098.509] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x217b23f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0098.509] CloseHandle (hObject=0x344) returned 1 [0098.509] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x638fd28 | out: lpFindFileData=0x638fd28) returned 1 [0098.509] lstrcmpW (lpString1=".", lpString2="Pester") returned -1 [0098.509] lstrcmpW (lpString1="..", lpString2="Pester") returned -1 [0098.510] lstrcmpiW (lpString1="windows", lpString2="Pester") returned 1 [0098.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*" [0098.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*") returned 56 [0098.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\", lpString2="Pester" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester" [0098.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\*.*" [0098.516] GlobalMemoryStatus (in: lpBuffer=0x638fd08 | out: lpBuffer=0x638fd08) [0098.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x217ca458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0098.518] CloseHandle (hObject=0x344) returned 1 [0098.518] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x638fd28 | out: lpFindFileData=0x638fd28) returned 1 [0098.518] lstrcmpW (lpString1=".", lpString2="PowerShellGet") returned -1 [0098.518] lstrcmpW (lpString1="..", lpString2="PowerShellGet") returned -1 [0098.518] lstrcmpiW (lpString1="windows", lpString2="PowerShellGet") returned 1 [0098.524] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*" [0098.524] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*.*") returned 56 [0098.524] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\", lpString2="PowerShellGet" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet" [0098.524] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" [0098.524] GlobalMemoryStatus (in: lpBuffer=0x638fd08 | out: lpBuffer=0x638fd08) [0098.524] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x217e24c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x344 [0098.525] CloseHandle (hObject=0x344) returned 1 [0098.525] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0x638fd28 | out: lpFindFileData=0x638fd28) returned 0 [0098.525] FindClose (in: hFindFile=0x108050c8 | out: hFindFile=0x108050c8) returned 1 Thread: id = 426 os_tid = 0x5b8 [0098.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*", lpFindFileData=0xce8fd28 | out: lpFindFileData=0xce8fd28) returned 0x10804d48 [0098.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.466] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0xce8fd28 | out: lpFindFileData=0xce8fd28) returned 1 [0098.466] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.466] FindNextFileW (in: hFindFile=0x10804d48, lpFindFileData=0xce8fd28 | out: lpFindFileData=0xce8fd28) returned 1 [0098.466] lstrcpyW (in: lpString1=0x8dc1720, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" [0098.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned 49 [0098.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\How To Restore Files.hta" [0098.467] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\how to restore files.hta")) returned 0xffffffff [0098.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 427 os_tid = 0xde8 [0098.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0xcfcfd28 | out: lpFindFileData=0xcfcfd28) returned 0x10804d88 [0098.468] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.468] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0xcfcfd28 | out: lpFindFileData=0xcfcfd28) returned 1 [0098.468] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.468] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.468] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0xcfcfd28 | out: lpFindFileData=0xcfcfd28) returned 0 [0098.468] FindClose (in: hFindFile=0x10804d88 | out: hFindFile=0x10804d88) returned 1 Thread: id = 428 os_tid = 0xd28 [0098.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*", lpFindFileData=0xd10fd28 | out: lpFindFileData=0xd10fd28) returned 0x10804d88 [0098.470] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.470] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0xd10fd28 | out: lpFindFileData=0xd10fd28) returned 1 [0098.470] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.470] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.470] FindNextFileW (in: hFindFile=0x10804d88, lpFindFileData=0xd10fd28 | out: lpFindFileData=0xd10fd28) returned 1 [0098.470] lstrcpyW (in: lpString1=0x3ec5ad0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" [0098.470] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned 51 [0098.470] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\How To Restore Files.hta" [0098.470] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\how to restore files.hta")) returned 0xffffffff [0098.470] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 429 os_tid = 0x65c [0098.470] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*", lpFindFileData=0xd38fd28) Thread: id = 430 os_tid = 0xd44 [0098.471] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\*.*", lpFindFileData=0xd74fd28) Thread: id = 431 os_tid = 0x788 [0098.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*", lpFindFileData=0xd88fd28 | out: lpFindFileData=0xd88fd28) returned 0x5c8f50 [0101.032] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.032] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0xd88fd28 | out: lpFindFileData=0xd88fd28) returned 1 [0101.032] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.032] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.032] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0xd88fd28 | out: lpFindFileData=0xd88fd28) returned 1 [0101.033] lstrcmpW (lpString1=".", lpString2="Applications") returned -1 [0101.033] lstrcmpW (lpString1="..", lpString2="Applications") returned -1 [0101.033] lstrcmpiW (lpString1="windows", lpString2="Applications") returned 1 [0101.033] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*" [0101.033] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*") returned 44 [0101.033] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\", lpString2="Applications" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" [0101.033] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*.*" [0101.033] GlobalMemoryStatus (in: lpBuffer=0xd88fd08 | out: lpBuffer=0xd88fd08) [0101.033] CreateThread (lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8eb9b88, dwCreationFlags=0x0, lpThreadId=0x0) Thread: id = 432 os_tid = 0xd68 [0098.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*", lpFindFileData=0xdecfd28 | out: lpFindFileData=0xdecfd28) returned 0x10804dc8 [0098.472] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.472] FindNextFileW (in: hFindFile=0x10804dc8, lpFindFileData=0xdecfd28 | out: lpFindFileData=0xdecfd28) returned 1 [0098.472] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.472] FindNextFileW (in: hFindFile=0x10804dc8, lpFindFileData=0xdecfd28 | out: lpFindFileData=0xdecfd28) returned 1 [0098.472] lstrcpyW (in: lpString1=0x2c952c8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*" [0098.472] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*") returned 75 [0098.472] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\How To Restore Files.hta" [0098.472] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\how to restore files.hta")) returned 0xffffffff [0098.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 433 os_tid = 0xc1c [0098.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*", lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 0x10804e48 [0098.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.473] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 1 [0098.473] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.473] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.473] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 1 [0098.473] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0098.473] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0098.473] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0098.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" [0098.474] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned 43 [0098.474] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Adobe") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Adobe" [0098.474] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Adobe\\*.*" [0098.474] GlobalMemoryStatus (in: lpBuffer=0xe28fd08 | out: lpBuffer=0xe28fd08) [0098.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1123f290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0098.475] CloseHandle (hObject=0x28c) returned 1 [0098.475] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 1 [0098.475] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0098.475] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0098.475] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0098.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" [0098.475] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned 43 [0098.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Application Data" [0098.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Application Data\\*.*" [0098.475] GlobalMemoryStatus (in: lpBuffer=0xe28fd08 | out: lpBuffer=0xe28fd08) [0098.475] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8e118b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0098.476] CloseHandle (hObject=0x28c) returned 1 [0098.476] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 1 [0098.476] lstrcmpW (lpString1=".", lpString2="CEF") returned -1 [0098.476] lstrcmpW (lpString1="..", lpString2="CEF") returned -1 [0098.476] lstrcmpiW (lpString1="windows", lpString2="CEF") returned 1 [0098.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" [0098.476] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned 43 [0098.476] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\", lpString2="CEF" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\CEF") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\CEF" [0098.476] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\CEF", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\CEF\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\CEF\\*.*" [0098.476] GlobalMemoryStatus (in: lpBuffer=0xe28fd08 | out: lpBuffer=0xe28fd08) [0098.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10968c58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0098.477] CloseHandle (hObject=0x28c) returned 1 [0098.477] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 1 [0098.478] lstrcmpW (lpString1=".", lpString2="Comms") returned -1 [0098.478] lstrcmpW (lpString1="..", lpString2="Comms") returned -1 [0098.478] lstrcmpiW (lpString1="windows", lpString2="Comms") returned 1 [0098.478] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" [0098.478] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned 43 [0098.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\", lpString2="Comms" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Comms") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Comms" [0098.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Comms", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Comms\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Comms\\*.*" [0098.478] GlobalMemoryStatus (in: lpBuffer=0xe28fd08 | out: lpBuffer=0xe28fd08) [0098.479] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x111f7158, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0098.479] CloseHandle (hObject=0x28c) returned 1 [0098.479] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 1 [0098.479] lstrcmpW (lpString1=".", lpString2="Google") returned -1 [0098.479] lstrcmpW (lpString1="..", lpString2="Google") returned -1 [0098.479] lstrcmpiW (lpString1="windows", lpString2="Google") returned 1 [0098.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" [0098.480] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned 43 [0098.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\", lpString2="Google" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Google") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Google" [0098.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Google", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Google\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Google\\*.*" [0098.480] GlobalMemoryStatus (in: lpBuffer=0xe28fd08 | out: lpBuffer=0xe28fd08) [0098.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1120f1c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0098.480] CloseHandle (hObject=0x28c) returned 1 [0098.480] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 1 [0098.481] lstrcmpW (lpString1=".", lpString2="History") returned -1 [0098.481] lstrcmpW (lpString1="..", lpString2="History") returned -1 [0098.481] lstrcmpiW (lpString1="windows", lpString2="History") returned 1 [0098.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" [0098.486] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned 43 [0098.486] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\", lpString2="History" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\History" [0098.486] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\History", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\History\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\History\\*.*" [0098.486] GlobalMemoryStatus (in: lpBuffer=0xe28fd08 | out: lpBuffer=0xe28fd08) [0098.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2179a388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0098.487] CloseHandle (hObject=0x28c) returned 1 [0098.487] FindNextFileW (in: hFindFile=0x10804e48, lpFindFileData=0xe28fd28 | out: lpFindFileData=0xe28fd28) returned 1 [0098.487] lstrcpyW (in: lpString1=0x1154be18, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*" [0098.487] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\*.*") returned 43 [0098.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\How To Restore Files.hta" [0098.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\how to restore files.hta")) returned 0xffffffff [0098.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 434 os_tid = 0xd14 [0098.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*", lpFindFileData=0xe3cfd28 | out: lpFindFileData=0xe3cfd28) returned 0x5c8f50 [0101.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.026] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0xe3cfd28 | out: lpFindFileData=0xe3cfd28) returned 1 [0101.026] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.026] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.026] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0xe3cfd28 | out: lpFindFileData=0xe3cfd28) returned 1 [0101.026] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0101.026] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0101.026] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0101.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" [0101.027] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned 46 [0101.027] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Adobe") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Adobe" [0101.027] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Adobe\\*.*" [0101.027] GlobalMemoryStatus (in: lpBuffer=0xe3cfd08 | out: lpBuffer=0xe3cfd08) [0101.027] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x20ed04e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0101.028] CloseHandle (hObject=0x33c) returned 1 [0101.028] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0xe3cfd28 | out: lpFindFileData=0xe3cfd28) returned 1 [0101.028] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0101.028] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0101.028] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0101.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" [0101.028] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned 46 [0101.028] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Microsoft") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Microsoft" [0101.028] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Microsoft\\*.*" [0101.028] GlobalMemoryStatus (in: lpBuffer=0xe3cfd08 | out: lpBuffer=0xe3cfd08) [0101.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10ab9208, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0101.029] CloseHandle (hObject=0x33c) returned 1 [0101.029] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0xe3cfd28 | out: lpFindFileData=0xe3cfd28) returned 1 [0101.029] lstrcmpW (lpString1=".", lpString2="Mozilla") returned -1 [0101.029] lstrcmpW (lpString1="..", lpString2="Mozilla") returned -1 [0101.029] lstrcmpiW (lpString1="windows", lpString2="Mozilla") returned 1 [0101.029] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" [0101.029] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned 46 [0101.029] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\", lpString2="Mozilla" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Mozilla") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Mozilla" [0101.029] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Mozilla", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Mozilla\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Mozilla\\*.*" [0101.029] GlobalMemoryStatus (in: lpBuffer=0xe3cfd08 | out: lpBuffer=0xe3cfd08) [0101.029] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88f8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0101.030] CloseHandle (hObject=0x33c) returned 1 [0101.030] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0xe3cfd28 | out: lpFindFileData=0xe3cfd28) returned 1 [0101.030] lstrcmpW (lpString1=".", lpString2="Sun") returned -1 [0101.030] lstrcmpW (lpString1="..", lpString2="Sun") returned -1 [0101.030] lstrcmpiW (lpString1="windows", lpString2="Sun") returned 1 [0101.030] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*" [0101.030] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\*.*") returned 46 [0101.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\", lpString2="Sun" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Sun") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Sun" [0101.031] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Sun", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Sun\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\Sun\\*.*" [0101.031] GlobalMemoryStatus (in: lpBuffer=0xe3cfd08 | out: lpBuffer=0xe3cfd08) [0101.031] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x88c8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0101.032] CloseHandle (hObject=0x33c) returned 1 [0101.032] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0xe3cfd28 | out: lpFindFileData=0xe3cfd28) returned 0 [0101.032] FindClose (in: hFindFile=0x5c8f50 | out: hFindFile=0x5c8f50) returned 1 Thread: id = 435 os_tid = 0xd1c [0098.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*.*", lpFindFileData=0xe50fd28 | out: lpFindFileData=0xe50fd28) returned 0x10804ec8 [0098.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.488] FindNextFileW (in: hFindFile=0x10804ec8, lpFindFileData=0xe50fd28 | out: lpFindFileData=0xe50fd28) returned 1 [0098.488] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.488] FindNextFileW (in: hFindFile=0x10804ec8, lpFindFileData=0xe50fd28 | out: lpFindFileData=0xe50fd28) returned 1 [0098.492] lstrcpyW (in: lpString1=0x675f90, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*.*" [0098.492] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*.*") returned 45 [0098.492] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\How To Restore Files.hta" [0098.492] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\how to restore files.hta")) returned 0xffffffff [0098.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 436 os_tid = 0xd2c [0098.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\*.*", lpFindFileData=0xe8cfd28 | out: lpFindFileData=0xe8cfd28) returned 0x10805008 [0098.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.493] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0xe8cfd28 | out: lpFindFileData=0xe8cfd28) returned 1 [0098.493] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.493] FindNextFileW (in: hFindFile=0x10805008, lpFindFileData=0xe8cfd28 | out: lpFindFileData=0xe8cfd28) returned 1 [0098.498] lstrcpyW (in: lpString1=0x2cf0140, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\*.*" [0098.498] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\*.*") returned 57 [0098.498] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\How To Restore Files.hta" [0098.498] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\0gi1ojfd7kpwxadvyjb\\how to restore files.hta")) returned 0xffffffff [0098.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0GI1oJfD7KPwXadVyJB\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\0gi1ojfd7kpwxadvyjb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 437 os_tid = 0x148 [0098.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\*.*", lpFindFileData=0xea2fd28 | out: lpFindFileData=0xea2fd28) returned 0x10805088 [0098.499] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.499] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0xea2fd28 | out: lpFindFileData=0xea2fd28) returned 1 [0098.499] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.499] FindNextFileW (in: hFindFile=0x10805088, lpFindFileData=0xea2fd28 | out: lpFindFileData=0xea2fd28) returned 1 [0098.504] lstrcpyW (in: lpString1=0x107c0940, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\*.*" [0098.504] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\*.*") returned 51 [0098.504] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\How To Restore Files.hta" [0098.504] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9hggbh_jcl6zmfm\\how to restore files.hta")) returned 0xffffffff [0098.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Music\\9HgGbh_jCL6ZmFM\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9hggbh_jcl6zmfm\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 438 os_tid = 0xd18 [0098.505] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\*.*", lpFindFileData=0xda0fd28) Thread: id = 439 os_tid = 0x79c [0098.527] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\*.*", lpFindFileData=0xeccfd28) Thread: id = 440 os_tid = 0xd30 [0098.527] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.009.20058\\*.*", lpFindFileData=0xee0fd28) Thread: id = 441 os_tid = 0xdd0 [0098.529] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_17.012.20098\\*.*", lpFindFileData=0xf7cfd28) Thread: id = 442 os_tid = 0xd8c [0098.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\*.*", lpFindFileData=0xf90fd28 | out: lpFindFileData=0xf90fd28) returned 0x10804988 [0101.037] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.037] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf90fd28 | out: lpFindFileData=0xf90fd28) returned 1 [0101.038] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.038] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.038] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0xf90fd28 | out: lpFindFileData=0xf90fd28) returned 0 [0101.038] FindClose (in: hFindFile=0x10804988 | out: hFindFile=0x10804988) returned 1 Thread: id = 443 os_tid = 0xdd8 [0098.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\\*.*", lpFindFileData=0xfb8fd28 | out: lpFindFileData=0xfb8fd28) returned 0x10805848 [0101.077] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.077] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0xfb8fd28 | out: lpFindFileData=0xfb8fd28) returned 1 [0101.077] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.077] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.077] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0xfb8fd28 | out: lpFindFileData=0xfb8fd28) returned 0 [0101.077] FindClose (in: hFindFile=0x10805848 | out: hFindFile=0x10805848) returned 1 Thread: id = 444 os_tid = 0xe20 [0098.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\*.*", lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 0x108050c8 [0098.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.531] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0098.531] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.531] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.531] FindNextFileW (in: hFindFile=0x108050c8, lpFindFileData=0xf58fd28 | out: lpFindFileData=0xf58fd28) returned 1 [0098.531] lstrcpyW (in: lpString1=0x3e2f378, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\*.*" [0098.531] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\*.*") returned 47 [0098.531] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\How To Restore Files.hta" [0098.531] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\8qedloz\\how to restore files.hta")) returned 0xffffffff [0098.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Documents\\8qeDlOZ\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\8qedloz\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 445 os_tid = 0xdcc [0098.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\*.*", lpFindFileData=0x1054fd28 | out: lpFindFileData=0x1054fd28) returned 0x10804c88 [0098.593] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.593] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0x1054fd28 | out: lpFindFileData=0x1054fd28) returned 1 [0098.593] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.593] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.593] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0x1054fd28 | out: lpFindFileData=0x1054fd28) returned 1 [0098.594] lstrcpyW (in: lpString1=0x21038570, lpString2="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\*.*") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\*.*" [0098.594] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\*.*") returned 46 [0098.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\How To Restore Files.hta" [0098.594] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\how to restore files.hta")) returned 0xffffffff [0098.594] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\bin\\How To Restore Files.hta" (normalized: "c:\\program files\\java\\jre1.8.0_131\\bin\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 446 os_tid = 0xdec [0098.532] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\images\\*.*", lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 0x108049c8 [0098.532] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.532] FindNextFileW (in: hFindFile=0x108049c8, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 1 [0098.532] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.532] FindNextFileW (in: hFindFile=0x108049c8, lpFindFileData=0xe04fd28 | out: lpFindFileData=0xe04fd28) returned 0 [0098.532] FindClose (in: hFindFile=0x108049c8 | out: hFindFile=0x108049c8) returned 1 Thread: id = 447 os_tid = 0xda8 [0098.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*", lpFindFileData=0x1165fd28 | out: lpFindFileData=0x1165fd28) returned 0x108049c8 [0098.534] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.534] FindNextFileW (in: hFindFile=0x108049c8, lpFindFileData=0x1165fd28 | out: lpFindFileData=0x1165fd28) returned 1 [0098.534] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.534] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.534] FindNextFileW (in: hFindFile=0x108049c8, lpFindFileData=0x1165fd28 | out: lpFindFileData=0x1165fd28) returned 1 [0098.534] lstrcpyW (in: lpString1=0x3e37380, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*" [0098.534] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*") returned 55 [0098.534] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\How To Restore Files.hta" [0098.535] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\how to restore files.hta")) returned 0xffffffff [0098.535] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 448 os_tid = 0xc68 [0098.535] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*", lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 0x10804c88 [0098.567] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.567] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0098.567] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.568] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0098.568] lstrcmpW (lpString1=".", lpString2="v3.0") returned -1 [0098.568] lstrcmpW (lpString1="..", lpString2="v3.0") returned -1 [0098.568] lstrcmpiW (lpString1="windows", lpString2="v3.0") returned 1 [0098.568] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0098.568] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned 70 [0098.568] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\", lpString2="v3.0" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0" [0098.568] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0098.568] GlobalMemoryStatus (in: lpBuffer=0xd28fd08 | out: lpBuffer=0xd28fd08) [0098.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x3e47390, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0098.569] CloseHandle (hObject=0x4b8) returned 1 [0098.569] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 1 [0098.569] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0098.569] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0098.569] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0098.574] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0098.574] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned 70 [0098.574] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5" [0098.574] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0098.574] GlobalMemoryStatus (in: lpBuffer=0xd28fd08 | out: lpBuffer=0xd28fd08) [0098.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x217fa528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0098.575] CloseHandle (hObject=0x4b8) returned 1 [0098.575] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xd28fd28 | out: lpFindFileData=0xd28fd28) returned 0 [0098.575] FindClose (in: hFindFile=0x10804c88 | out: hFindFile=0x10804c88) returned 1 Thread: id = 449 os_tid = 0x924 [0098.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*.*", lpFindFileData=0x1179fd28 | out: lpFindFileData=0x1179fd28) returned 0x10804988 [0101.040] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.040] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1179fd28 | out: lpFindFileData=0x1179fd28) returned 1 [0101.040] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.040] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.040] FindNextFileW (in: hFindFile=0x10804988, lpFindFileData=0x1179fd28 | out: lpFindFileData=0x1179fd28) returned 1 [0101.040] lstrcpyW (in: lpString1=0x59a80b0, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*.*" [0101.040] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*.*") returned 50 [0101.040] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\How To Restore Files.hta" [0101.040] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\camera roll\\how to restore files.hta")) returned 0xffffffff [0101.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\camera roll\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 450 os_tid = 0xadc [0098.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*", lpFindFileData=0x11a1fd28 | out: lpFindFileData=0x11a1fd28) returned 0x10804b08 [0098.537] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.537] FindNextFileW (in: hFindFile=0x10804b08, lpFindFileData=0x11a1fd28 | out: lpFindFileData=0x11a1fd28) returned 1 [0098.537] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.537] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.537] FindNextFileW (in: hFindFile=0x10804b08, lpFindFileData=0x11a1fd28 | out: lpFindFileData=0x11a1fd28) returned 1 [0098.537] lstrcmpW (lpString1=".", lpString2="v3.0") returned -1 [0098.537] lstrcmpW (lpString1="..", lpString2="v3.0") returned -1 [0098.537] lstrcmpiW (lpString1="windows", lpString2="v3.0") returned 1 [0098.537] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0098.537] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned 65 [0098.537] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\", lpString2="v3.0" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0" [0098.537] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0098.537] GlobalMemoryStatus (in: lpBuffer=0x11a1fd08 | out: lpBuffer=0x11a1fd08) [0098.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8de17e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e0 [0098.538] CloseHandle (hObject=0x4e0) returned 1 [0098.538] FindNextFileW (in: hFindFile=0x10804b08, lpFindFileData=0x11a1fd28 | out: lpFindFileData=0x11a1fd28) returned 1 [0098.538] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0098.538] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0098.538] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0098.538] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0098.538] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned 65 [0098.538] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5" [0098.538] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0098.538] GlobalMemoryStatus (in: lpBuffer=0x11a1fd08 | out: lpBuffer=0x11a1fd08) [0098.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11227228, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4e0 [0098.539] CloseHandle (hObject=0x4e0) returned 1 [0098.539] FindNextFileW (in: hFindFile=0x10804b08, lpFindFileData=0x11a1fd28 | out: lpFindFileData=0x11a1fd28) returned 0 [0098.539] FindClose (in: hFindFile=0x10804b08 | out: hFindFile=0x10804b08) returned 1 Thread: id = 451 os_tid = 0xd78 [0098.544] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*", lpFindFileData=0x11b5fd28 | out: lpFindFileData=0x11b5fd28) returned 0x10804b08 [0098.544] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.545] FindNextFileW (in: hFindFile=0x10804b08, lpFindFileData=0x11b5fd28 | out: lpFindFileData=0x11b5fd28) returned 1 [0098.545] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.545] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.545] FindNextFileW (in: hFindFile=0x10804b08, lpFindFileData=0x11b5fd28 | out: lpFindFileData=0x11b5fd28) returned 1 [0098.545] lstrcpyW (in: lpString1=0x89b8660, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*" [0098.545] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*") returned 53 [0098.545] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\How To Restore Files.hta" [0098.545] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\accessories\\en-us\\how to restore files.hta")) returned 0xffffffff [0098.545] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\accessories\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 452 os_tid = 0x618 [0098.545] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\*.*", lpFindFileData=0x407fd28) Thread: id = 453 os_tid = 0x8a4 [0098.546] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*", lpFindFileData=0x41bfd28) Thread: id = 454 os_tid = 0xdac [0098.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*", lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 0x10804b48 [0098.546] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.546] FindNextFileW (in: hFindFile=0x10804b48, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0098.546] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.546] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.546] FindNextFileW (in: hFindFile=0x10804b48, lpFindFileData=0x4f8fd28 | out: lpFindFileData=0x4f8fd28) returned 1 [0098.547] lstrcpyW (in: lpString1=0x89c0668, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*" [0098.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*") returned 58 [0098.547] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\How To Restore Files.hta" [0098.547] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\how to restore files.hta")) returned 0xffffffff [0098.547] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 455 os_tid = 0xdb0 [0098.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*", lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 0x10805508 [0101.054] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.054] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0101.054] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.054] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0101.054] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0101.055] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0101.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" [0101.055] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\how to restore files.hta")) returned 0xffffffff [0101.055] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.055] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0) returned 0 [0101.055] CloseHandle (hObject=0xffffffff) returned 1 [0101.055] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.056] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AcroPDF.dll") returned 1 [0101.056] lstrlenW (lpString="AcroPDF.dll") returned 11 [0101.056] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0101.056] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0101.056] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" [0101.056] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" [0101.056] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll id-Br3n0G72wUb8CejT.LyaS" [0101.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.057] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0101.058] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0101.058] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0101.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" [0101.058] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\how to restore files.hta")) returned 0xffffffff [0101.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.058] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0) returned 0 [0101.058] CloseHandle (hObject=0xffffffff) returned 1 [0101.058] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.059] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AcroPDF64.dll") returned 1 [0101.059] lstrlenW (lpString="AcroPDF64.dll") returned 13 [0101.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0101.059] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0101.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF64.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll" [0101.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll" [0101.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll id-Br3n0G72wUb8CejT.LyaS" [0101.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf64.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf64.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.061] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0101.061] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0101.061] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0101.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" [0101.061] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\how to restore files.hta")) returned 0xffffffff [0101.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.062] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0) returned 0 [0101.062] CloseHandle (hObject=0xffffffff) returned 1 [0101.062] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.062] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AcroPDFImpl.dll") returned 1 [0101.062] lstrlenW (lpString="AcroPDFImpl.dll") returned 15 [0101.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0101.062] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0101.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDFImpl.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll" [0101.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll" [0101.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll id-Br3n0G72wUb8CejT.LyaS" [0101.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdfimpl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdfimpl.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.063] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 1 [0101.063] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0101.063] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0101.063] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" [0101.063] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\how to restore files.hta")) returned 0xffffffff [0101.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.063] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x50cfcf0, lpOverlapped=0x0) returned 0 [0101.063] CloseHandle (hObject=0xffffffff) returned 1 [0101.063] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.063] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AcroPDFImpl64.dll") returned 1 [0101.063] lstrlenW (lpString="AcroPDFImpl64.dll") returned 17 [0101.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0101.064] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0101.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDFImpl64.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll" [0101.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll" [0101.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll id-Br3n0G72wUb8CejT.LyaS" [0101.064] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdfimpl64.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdfimpl64.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.067] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x50cfd28 | out: lpFindFileData=0x50cfd28) returned 0 [0101.067] FindClose (in: hFindFile=0x10805508 | out: hFindFile=0x10805508) returned 1 Thread: id = 456 os_tid = 0xdb4 [0098.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*", lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 0x10804b88 [0098.550] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.550] FindNextFileW (in: hFindFile=0x10804b88, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0098.550] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.550] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.550] FindNextFileW (in: hFindFile=0x10804b88, lpFindFileData=0x548fd28 | out: lpFindFileData=0x548fd28) returned 1 [0098.554] lstrcpyW (in: lpString1=0x21000550, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0098.554] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0098.554] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\How To Restore Files.hta" [0098.554] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\how to restore files.hta")) returned 0xffffffff [0098.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 457 os_tid = 0xcbc [0098.555] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*.*", lpFindFileData=0x534fd28) Thread: id = 458 os_tid = 0xd04 [0098.556] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*", lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 0x10804c08 [0098.556] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.556] FindNextFileW (in: hFindFile=0x10804c08, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0098.556] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.556] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.556] FindNextFileW (in: hFindFile=0x10804c08, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0098.556] lstrcmpW (lpString1=".", lpString2="00VOU0EWPYblCrlHdi") returned -1 [0098.556] lstrcmpW (lpString1="..", lpString2="00VOU0EWPYblCrlHdi") returned -1 [0098.556] lstrcmpiW (lpString1="windows", lpString2="00VOU0EWPYblCrlHdi") returned 1 [0098.556] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*" [0098.556] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*") returned 49 [0098.556] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\", lpString2="00VOU0EWPYblCrlHdi" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi" [0098.556] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\*.*" [0098.556] GlobalMemoryStatus (in: lpBuffer=0x570fd08 | out: lpBuffer=0x570fd08) [0098.556] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cd13c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4cc [0098.557] CloseHandle (hObject=0x4cc) returned 1 [0098.557] FindNextFileW (in: hFindFile=0x10804c08, lpFindFileData=0x570fd28 | out: lpFindFileData=0x570fd28) returned 1 [0098.557] lstrcpyW (in: lpString1=0x21008558, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*" [0098.557] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\*.*") returned 49 [0098.557] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\How To Restore Files.hta" [0098.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\skwq hceu5\\how to restore files.hta")) returned 0xffffffff [0098.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\skwq hceu5\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 459 os_tid = 0xc20 [0098.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\*.*", lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 0x10804c48 [0098.558] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.558] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0098.559] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.559] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.559] FindNextFileW (in: hFindFile=0x10804c48, lpFindFileData=0x584fd28 | out: lpFindFileData=0x584fd28) returned 1 [0098.563] lstrcpyW (in: lpString1=0x21030568, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\*.*" [0098.563] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\*.*") returned 43 [0098.563] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\How To Restore Files.hta" [0098.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\u8ja\\how to restore files.hta")) returned 0xffffffff [0098.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\u8JA\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\u8ja\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 460 os_tid = 0xddc [0098.564] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\Java\\jre1.8.0_131\\lib\\*.*", lpFindFileData=0x662fd28) Thread: id = 461 os_tid = 0xdd4 [0098.565] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", lpFindFileData=0x68cfd28) Thread: id = 462 os_tid = 0xe00 [0098.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 0x10804c88 [0098.565] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.566] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 1 [0098.566] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.566] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 0 [0098.566] FindClose (in: hFindFile=0x10804c88 | out: hFindFile=0x10804c88) returned 1 Thread: id = 463 os_tid = 0x784 [0098.567] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*", lpFindFileData=0x6dcfd28) Thread: id = 464 os_tid = 0xe1c [0098.577] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*", lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 0x10804c88 [0098.577] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.577] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 1 [0098.577] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.577] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 0 [0098.577] FindClose (in: hFindFile=0x10804c88 | out: hFindFile=0x10804c88) returned 1 Thread: id = 465 os_tid = 0xdb8 [0098.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*.*", lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 0xffffffff Thread: id = 466 os_tid = 0xde0 [0098.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*.*", lpFindFileData=0x718fd28 | out: lpFindFileData=0x718fd28) returned 0xffffffff Thread: id = 467 os_tid = 0xe3c [0098.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*.*", lpFindFileData=0x918fd28 | out: lpFindFileData=0x918fd28) returned 0xffffffff Thread: id = 468 os_tid = 0xe04 [0098.583] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*", lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 0x10804c88 [0098.583] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.583] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0098.583] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.583] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.583] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0098.583] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0098.583] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0098.583] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0098.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0098.583] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0098.583] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data" [0098.583] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*.*" [0098.583] GlobalMemoryStatus (in: lpBuffer=0xb34fd08 | out: lpBuffer=0xb34fd08) [0098.584] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a58390, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0098.584] CloseHandle (hObject=0x4b8) returned 1 [0098.584] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0098.584] lstrcmpW (lpString1=".", lpString2="History") returned -1 [0098.584] lstrcmpW (lpString1="..", lpString2="History") returned -1 [0098.585] lstrcmpiW (lpString1="windows", lpString2="History") returned 1 [0098.585] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0098.585] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0098.585] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="History" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History" [0098.585] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*.*" [0098.585] GlobalMemoryStatus (in: lpBuffer=0xb34fd08 | out: lpBuffer=0xb34fd08) [0098.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10bd96e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0098.586] CloseHandle (hObject=0x4b8) returned 1 [0098.586] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0098.586] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0098.586] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0098.586] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0098.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0098.586] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0098.586] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft" [0098.586] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*" [0098.586] GlobalMemoryStatus (in: lpBuffer=0xb34fd08 | out: lpBuffer=0xb34fd08) [0098.586] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8c89290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0098.587] CloseHandle (hObject=0x4b8) returned 1 [0098.587] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0098.587] lstrcmpW (lpString1=".", lpString2="Temp") returned -1 [0098.587] lstrcmpW (lpString1="..", lpString2="Temp") returned -1 [0098.587] lstrcmpiW (lpString1="windows", lpString2="Temp") returned 1 [0098.587] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0098.587] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0098.587] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Temp" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp" [0098.587] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*" [0098.587] GlobalMemoryStatus (in: lpBuffer=0xb34fd08 | out: lpBuffer=0xb34fd08) [0098.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106683f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0098.588] CloseHandle (hObject=0x4b8) returned 1 [0098.588] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0098.588] lstrcmpW (lpString1=".", lpString2="Temporary Internet Files") returned -1 [0098.588] lstrcmpW (lpString1="..", lpString2="Temporary Internet Files") returned -1 [0098.588] lstrcmpiW (lpString1="windows", lpString2="Temporary Internet Files") returned 1 [0098.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0098.588] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0098.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" [0098.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*.*" [0098.588] GlobalMemoryStatus (in: lpBuffer=0xb34fd08 | out: lpBuffer=0xb34fd08) [0098.589] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5d0feb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0098.589] CloseHandle (hObject=0x4b8) returned 1 [0098.590] FindNextFileW (in: hFindFile=0x10804c88, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 0 [0098.590] FindClose (in: hFindFile=0x10804c88 | out: hFindFile=0x10804c88) returned 1 Thread: id = 469 os_tid = 0xe48 [0098.591] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*", lpFindFileData=0xb48fd28 | out: lpFindFileData=0xb48fd28) returned 0x108054c8 [0101.053] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.053] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0xb48fd28 | out: lpFindFileData=0xb48fd28) returned 1 [0101.053] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.053] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0xb48fd28 | out: lpFindFileData=0xb48fd28) returned 1 [0101.053] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0101.053] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0101.053] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0101.053] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*" [0101.053] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*") returned 40 [0101.053] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0101.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" [0101.054] GlobalMemoryStatus (in: lpBuffer=0xb48fd08 | out: lpBuffer=0xb48fd08) [0101.054] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21619d08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x390 [0101.060] CloseHandle (hObject=0x390) returned 1 [0101.060] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0xb48fd28 | out: lpFindFileData=0xb48fd28) returned 0 [0101.060] FindClose (in: hFindFile=0x108054c8 | out: hFindFile=0x108054c8) returned 1 Thread: id = 470 os_tid = 0xe68 [0098.592] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*.*", lpFindFileData=0xb5cfd28) Thread: id = 471 os_tid = 0xe74 [0098.592] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", lpFindFileData=0xb70fd28) Thread: id = 472 os_tid = 0x518 [0098.593] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*", lpFindFileData=0xb84fd28) Thread: id = 473 os_tid = 0x4f8 [0098.595] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*", lpFindFileData=0x11f5fd28) Thread: id = 474 os_tid = 0xd94 [0098.596] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*.*", lpFindFileData=0x1209fd28) Thread: id = 475 os_tid = 0xe6c [0098.596] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*.*", lpFindFileData=0x121dfd28) Thread: id = 476 os_tid = 0x860 [0098.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*.*", lpFindFileData=0x12ddfd28 | out: lpFindFileData=0x12ddfd28) returned 0x108053c8 [0098.598] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.598] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x12ddfd28 | out: lpFindFileData=0x12ddfd28) returned 1 [0098.598] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.598] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.598] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x12ddfd28 | out: lpFindFileData=0x12ddfd28) returned 1 [0098.598] lstrcmpW (lpString1=".", lpString2="1.0.0.0") returned -1 [0098.598] lstrcmpW (lpString1="..", lpString2="1.0.0.0") returned -1 [0098.598] lstrcmpiW (lpString1="windows", lpString2="1.0.0.0") returned 1 [0098.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*.*" [0098.598] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*.*") returned 68 [0098.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\", lpString2="1.0.0.0" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0" [0098.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*" [0098.598] GlobalMemoryStatus (in: lpBuffer=0x12ddfd08 | out: lpBuffer=0x12ddfd08) [0098.598] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10bc1680, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0098.599] CloseHandle (hObject=0x4b8) returned 1 [0098.599] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x12ddfd28 | out: lpFindFileData=0x12ddfd28) returned 0 [0098.599] FindClose (in: hFindFile=0x108053c8 | out: hFindFile=0x108053c8) returned 1 Thread: id = 477 os_tid = 0xff4 [0098.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*.*", lpFindFileData=0x13f5fd28 | out: lpFindFileData=0x13f5fd28) returned 0x2c9ea08 [0098.861] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.861] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x13f5fd28 | out: lpFindFileData=0x13f5fd28) returned 1 [0098.861] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.861] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.861] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x13f5fd28 | out: lpFindFileData=0x13f5fd28) returned 1 [0098.861] lstrcmpW (lpString1=".", lpString2="3.3.5") returned -1 [0098.861] lstrcmpW (lpString1="..", lpString2="3.3.5") returned -1 [0098.861] lstrcmpiW (lpString1="windows", lpString2="3.3.5") returned 1 [0100.763] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*.*" [0100.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*.*") returned 57 [0100.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\", lpString2="3.3.5" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5" [0100.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*.*" [0100.763] GlobalMemoryStatus (in: lpBuffer=0x13f5fd08 | out: lpBuffer=0x13f5fd08) [0100.763] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21c93730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x674 [0100.764] CloseHandle (hObject=0x674) returned 1 [0100.764] FindNextFileW (in: hFindFile=0x2c9ea08, lpFindFileData=0x13f5fd28 | out: lpFindFileData=0x13f5fd28) returned 0 [0100.764] FindClose (in: hFindFile=0x2c9ea08 | out: hFindFile=0x2c9ea08) returned 1 Thread: id = 478 os_tid = 0xcf4 [0098.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*", lpFindFileData=0x198dfd28 | out: lpFindFileData=0x198dfd28) returned 0x5c8dd0 [0100.908] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.908] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x198dfd28 | out: lpFindFileData=0x198dfd28) returned 1 [0100.909] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.909] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.909] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x198dfd28 | out: lpFindFileData=0x198dfd28) returned 1 [0100.909] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0100.909] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0100.909] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0100.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" [0100.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned 64 [0100.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US" [0100.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US\\*.*" [0100.909] GlobalMemoryStatus (in: lpBuffer=0x198dfd08 | out: lpBuffer=0x198dfd08) [0100.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x110d6c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0100.910] CloseHandle (hObject=0x4b8) returned 1 [0100.910] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x198dfd28 | out: lpFindFileData=0x198dfd28) returned 1 [0101.017] lstrcpyW (in: lpString1=0x21170910, lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" [0101.017] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned 64 [0101.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\How To Restore Files.hta" [0101.017] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\How To Restore Files.hta" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\how to restore files.hta")) returned 0xffffffff [0101.017] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\How To Restore Files.hta" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 479 os_tid = 0xa94 [0098.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*.*", lpFindFileData=0x19a1fd28 | out: lpFindFileData=0x19a1fd28) returned 0x2c9e9c8 [0098.860] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.860] FindNextFileW (in: hFindFile=0x2c9e9c8, lpFindFileData=0x19a1fd28 | out: lpFindFileData=0x19a1fd28) returned 1 [0098.860] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.860] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.860] FindNextFileW (in: hFindFile=0x2c9e9c8, lpFindFileData=0x19a1fd28 | out: lpFindFileData=0x19a1fd28) returned 1 [0098.861] lstrcmpW (lpString1=".", lpString2="1.1") returned -1 [0098.861] lstrcmpW (lpString1="..", lpString2="1.1") returned -1 [0098.861] lstrcmpiW (lpString1="windows", lpString2="1.1") returned 1 [0100.765] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*.*" [0100.765] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*.*") returned 61 [0100.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\", lpString2="1.1" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1" [0100.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\*.*" [0100.765] GlobalMemoryStatus (in: lpBuffer=0x19a1fd08 | out: lpBuffer=0x19a1fd08) [0100.765] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x105c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4bc [0100.766] CloseHandle (hObject=0x4bc) returned 1 [0100.766] FindNextFileW (in: hFindFile=0x2c9e9c8, lpFindFileData=0x19a1fd28 | out: lpFindFileData=0x19a1fd28) returned 0 [0100.766] FindClose (in: hFindFile=0x2c9e9c8 | out: hFindFile=0x2c9e9c8) returned 1 Thread: id = 480 os_tid = 0xae0 [0098.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\*.*", lpFindFileData=0x1cfdfd28 | out: lpFindFileData=0x1cfdfd28) returned 0x10805848 [0101.078] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.078] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1cfdfd28 | out: lpFindFileData=0x1cfdfd28) returned 1 [0101.078] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.078] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.078] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1cfdfd28 | out: lpFindFileData=0x1cfdfd28) returned 1 [0101.078] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_x86") returned -1 [0101.078] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_x86") returned -1 [0101.078] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_x86") returned 1 [0101.078] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\*.*" [0101.078] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\*.*") returned 95 [0101.078] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\vcRuntimeAdditional_x86" [0101.078] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\vcRuntimeAdditional_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\packages\\vcRuntimeAdditional_x86\\*.*" [0101.078] GlobalMemoryStatus (in: lpBuffer=0x1cfdfd08 | out: lpBuffer=0x1cfdfd08) [0101.079] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x60ede8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x390 [0101.079] CloseHandle (hObject=0x390) returned 1 [0101.079] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x1cfdfd28 | out: lpFindFileData=0x1cfdfd28) returned 0 [0101.079] FindClose (in: hFindFile=0x10805848 | out: hFindFile=0x10805848) returned 1 Thread: id = 481 os_tid = 0xc04 [0098.604] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*", lpFindFileData=0x1d0dfd28) Thread: id = 482 os_tid = 0xff0 [0098.604] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*", lpFindFileData=0x1d1dfd28) Thread: id = 483 os_tid = 0x114 [0098.605] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*", lpFindFileData=0x1d31fd28) Thread: id = 484 os_tid = 0xf94 [0098.606] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x1d45fd28) Thread: id = 485 os_tid = 0xf98 [0098.606] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x1d59fd28) Thread: id = 486 os_tid = 0xee8 [0098.607] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0x1d6dfd28) Thread: id = 487 os_tid = 0xf54 [0098.607] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x1d81fd28) Thread: id = 488 os_tid = 0xedc [0098.608] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x1d95fd28) Thread: id = 489 os_tid = 0xef0 [0098.609] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x1da9fd28) Thread: id = 490 os_tid = 0xee0 [0098.609] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\packages\\*.*", lpFindFileData=0x1dbdfd28) Thread: id = 491 os_tid = 0xed0 [0098.610] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x1dd1fd28) Thread: id = 492 os_tid = 0xed4 [0098.610] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x1de5fd28) Thread: id = 493 os_tid = 0xf04 [0098.611] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0x1e01fd28) Thread: id = 494 os_tid = 0x3c0 [0098.611] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x1e15fd28) Thread: id = 495 os_tid = 0xdf4 [0098.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*", lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 0x10805288 [0098.715] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.715] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0098.715] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.716] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.716] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0100.867] lstrcpyW (in: lpString1=0x21d13940, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0100.867] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0100.867] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0100.867] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0xffffffff [0100.868] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0101.417] WriteFile (in: hFile=0x5a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1e39fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e39fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0101.419] CloseHandle (hObject=0x5a0) returned 1 [0101.419] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.420] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="adojavas.inc") returned 1 [0101.420] lstrlenW (lpString="adojavas.inc") returned 12 [0101.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.421] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.421] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="adojavas.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" [0101.421] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" [0101.421] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc id-Br3n0G72wUb8CejT.LyaS" [0101.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adojavas.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adojavas.inc id-br3n0g72wub8cejt.lyas")) returned 0 [0101.421] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.421] lstrcpyW (in: lpString1=0x21d13940, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.421] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.422] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.422] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.422] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="adovbs.inc") returned 1 [0101.422] lstrlenW (lpString="adovbs.inc") returned 10 [0101.422] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.422] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.422] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="adovbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" [0101.422] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" [0101.422] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc id-Br3n0G72wUb8CejT.LyaS" [0101.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adovbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adovbs.inc id-br3n0g72wub8cejt.lyas")) returned 0 [0101.423] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.423] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0101.423] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0101.423] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0101.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.423] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US" [0101.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*" [0101.423] GlobalMemoryStatus (in: lpBuffer=0x1e39fd08 | out: lpBuffer=0x1e39fd08) [0101.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x216f20b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a0 [0101.424] CloseHandle (hObject=0x5a0) returned 1 [0101.424] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.424] lstrcpyW (in: lpString1=0x21d13940, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.424] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.425] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.425] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msader15.dll") returned -1 [0101.425] lstrlenW (lpString="msader15.dll") returned 12 [0101.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.425] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msader15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" [0101.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" [0101.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll id-Br3n0G72wUb8CejT.LyaS" [0101.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msader15.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msader15.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.426] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.426] lstrcpyW (in: lpString1=0x21d13940, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.426] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.426] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.426] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado15.dll") returned -1 [0101.426] lstrlenW (lpString="msado15.dll") returned 11 [0101.426] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.426] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" [0101.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" [0101.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll id-Br3n0G72wUb8CejT.LyaS" [0101.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado15.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado15.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.451] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.451] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.451] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.451] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.451] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado20.tlb") returned -1 [0101.451] lstrlenW (lpString="msado20.tlb") returned 11 [0101.452] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.452] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.452] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado20.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" [0101.452] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" [0101.452] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado20.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado20.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.453] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.453] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.453] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.453] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.453] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado21.tlb") returned -1 [0101.453] lstrlenW (lpString="msado21.tlb") returned 11 [0101.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.453] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado21.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" [0101.454] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" [0101.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado21.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado21.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.455] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.455] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.455] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.456] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado25.tlb") returned -1 [0101.456] lstrlenW (lpString="msado25.tlb") returned 11 [0101.456] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.456] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.456] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado25.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" [0101.456] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" [0101.456] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado25.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado25.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.457] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.457] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.457] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.457] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.457] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado26.tlb") returned -1 [0101.457] lstrlenW (lpString="msado26.tlb") returned 11 [0101.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.458] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado26.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" [0101.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" [0101.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado26.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado26.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.458] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.459] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.459] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.459] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.459] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado27.tlb") returned -1 [0101.459] lstrlenW (lpString="msado27.tlb") returned 11 [0101.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.459] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado27.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" [0101.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" [0101.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado27.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado27.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.460] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.460] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.460] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.460] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.460] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado28.tlb") returned -1 [0101.460] lstrlenW (lpString="msado28.tlb") returned 11 [0101.461] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.461] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" [0101.461] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" [0101.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado28.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.495] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.495] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.495] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.495] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.495] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msado60.tlb") returned -1 [0101.495] lstrlenW (lpString="msado60.tlb") returned 11 [0101.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.495] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado60.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb" [0101.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb" [0101.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado60.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado60.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado60.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.496] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.496] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.496] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.496] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.497] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadomd.dll") returned -1 [0101.497] lstrlenW (lpString="msadomd.dll") returned 11 [0101.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.497] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadomd.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" [0101.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" [0101.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll id-Br3n0G72wUb8CejT.LyaS" [0101.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.497] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.497] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.497] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.498] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.498] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadomd28.tlb") returned -1 [0101.498] lstrlenW (lpString="msadomd28.tlb") returned 13 [0101.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.498] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadomd28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" [0101.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" [0101.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd28.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.498] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.498] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.499] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.499] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.499] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msador15.dll") returned -1 [0101.499] lstrlenW (lpString="msador15.dll") returned 12 [0101.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.499] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msador15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" [0101.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" [0101.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll id-Br3n0G72wUb8CejT.LyaS" [0101.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msador15.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msador15.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.499] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.499] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.500] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.500] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.500] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.500] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msador28.tlb") returned -1 [0101.500] lstrlenW (lpString="msador28.tlb") returned 12 [0101.500] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.500] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.500] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msador28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb" [0101.500] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb" [0101.500] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msador28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msador28.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.501] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.501] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.501] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.501] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.501] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.501] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadox.dll") returned -1 [0101.501] lstrlenW (lpString="msadox.dll") returned 10 [0101.501] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.501] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.501] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadox.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" [0101.501] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" [0101.501] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll id-Br3n0G72wUb8CejT.LyaS" [0101.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.504] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.504] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.504] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.504] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.505] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadox28.tlb") returned -1 [0101.505] lstrlenW (lpString="msadox28.tlb") returned 12 [0101.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.505] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadox28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" [0101.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" [0101.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb id-Br3n0G72wUb8CejT.LyaS" [0101.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox28.tlb id-br3n0g72wub8cejt.lyas")) returned 0 [0101.505] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.505] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.505] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.505] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.506] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadrh15.dll") returned -1 [0101.506] lstrlenW (lpString="msadrh15.dll") returned 12 [0101.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.506] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadrh15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" [0101.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" [0101.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll id-Br3n0G72wUb8CejT.LyaS" [0101.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadrh15.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadrh15.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.506] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x1e39fd28 | out: lpFindFileData=0x1e39fd28) returned 1 [0101.506] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.506] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" [0101.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\how to restore files.hta")) returned 0x1 [0101.507] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msjro.dll") returned -1 [0101.507] lstrlenW (lpString="msjro.dll") returned 9 [0101.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0101.507] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0101.507] lstrcatW (lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msjro.dll") Thread: id = 496 os_tid = 0xec8 [0098.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*", lpFindFileData=0x1e4dfd28 | out: lpFindFileData=0x1e4dfd28) returned 0x108055c8 [0098.717] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.717] FindNextFileW (in: hFindFile=0x108055c8, lpFindFileData=0x1e4dfd28 | out: lpFindFileData=0x1e4dfd28) returned 1 [0098.717] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.717] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.717] FindNextFileW (in: hFindFile=0x108055c8, lpFindFileData=0x1e4dfd28 | out: lpFindFileData=0x1e4dfd28) returned 1 [0100.863] lstrcpyW (in: lpString1=0x21d0b938, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" [0100.863] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned 56 [0100.863] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\How To Restore Files.hta" [0100.863] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\how to restore files.hta")) returned 0xffffffff [0100.863] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0101.428] WriteFile (in: hFile=0x5a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1e4dfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e4dfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0101.429] CloseHandle (hObject=0x5a0) returned 1 [0101.430] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.431] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wab32res.dll.mui") returned -1 [0101.431] lstrlenW (lpString="wab32res.dll.mui") returned 16 [0101.431] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" [0101.431] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned 56 [0101.431] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\", lpString2="wab32res.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" [0101.431] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" [0101.431] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui id-Br3n0G72wUb8CejT.LyaS" [0101.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\wab32res.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\wab32res.dll.mui id-br3n0g72wub8cejt.lyas")) returned 0 [0101.467] FindNextFileW (in: hFindFile=0x108055c8, lpFindFileData=0x1e4dfd28 | out: lpFindFileData=0x1e4dfd28) returned 0 [0101.467] FindClose (in: hFindFile=0x108055c8 | out: hFindFile=0x108055c8) returned 1 Thread: id = 497 os_tid = 0xf0 [0098.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*", lpFindFileData=0x1e61fd28 | out: lpFindFileData=0x1e61fd28) returned 0x10805608 [0098.850] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.851] FindNextFileW (in: hFindFile=0x10805608, lpFindFileData=0x1e61fd28 | out: lpFindFileData=0x1e61fd28) returned 1 [0098.851] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.851] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.851] FindNextFileW (in: hFindFile=0x10805608, lpFindFileData=0x1e61fd28 | out: lpFindFileData=0x1e61fd28) returned 1 [0100.770] lstrcpyW (in: lpString1=0x8b40c98, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0100.770] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0100.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" [0100.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\how to restore files.hta")) returned 0xffffffff [0100.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0101.395] WriteFile (in: hFile=0x5a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1e61fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e61fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0101.396] CloseHandle (hObject=0x5a0) returned 1 [0101.397] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.409] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="adcjavas.inc") returned 1 [0101.409] lstrlenW (lpString="adcjavas.inc") returned 12 [0101.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.409] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="adcjavas.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" [0101.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" [0101.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc id-Br3n0G72wUb8CejT.LyaS" [0101.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcjavas.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcjavas.inc id-br3n0g72wub8cejt.lyas")) returned 0 [0101.410] FindNextFileW (in: hFindFile=0x10805608, lpFindFileData=0x1e61fd28 | out: lpFindFileData=0x1e61fd28) returned 1 [0101.410] lstrcpyW (in: lpString1=0x8b40c98, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.410] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.410] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" [0101.410] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\how to restore files.hta")) returned 0x1 [0101.411] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="adcvbs.inc") returned 1 [0101.411] lstrlenW (lpString="adcvbs.inc") returned 10 [0101.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.411] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="adcvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" [0101.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" [0101.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc id-Br3n0G72wUb8CejT.LyaS" [0101.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcvbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcvbs.inc id-br3n0g72wub8cejt.lyas")) returned 0 [0101.411] FindNextFileW (in: hFindFile=0x10805608, lpFindFileData=0x1e61fd28 | out: lpFindFileData=0x1e61fd28) returned 1 [0101.411] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0101.412] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0101.412] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0101.412] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.412] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.412] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US" [0101.412] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*" [0101.412] GlobalMemoryStatus (in: lpBuffer=0x1e61fd08 | out: lpBuffer=0x1e61fd08) [0101.412] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5a58390, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a0 [0101.413] CloseHandle (hObject=0x5a0) returned 1 [0101.413] FindNextFileW (in: hFindFile=0x10805608, lpFindFileData=0x1e61fd28 | out: lpFindFileData=0x1e61fd28) returned 1 [0101.413] lstrcpyW (in: lpString1=0x8b40c98, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.413] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.413] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" [0101.413] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\how to restore files.hta")) returned 0x1 [0101.413] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadce.dll") returned -1 [0101.413] lstrlenW (lpString="msadce.dll") returned 10 [0101.413] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.414] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadce.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" [0101.414] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" [0101.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll id-Br3n0G72wUb8CejT.LyaS" [0101.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadce.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadce.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.415] FindNextFileW (in: hFindFile=0x10805608, lpFindFileData=0x1e61fd28 | out: lpFindFileData=0x1e61fd28) returned 1 [0101.415] lstrcpyW (in: lpString1=0x8b40c98, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.415] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.415] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" [0101.415] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\how to restore files.hta")) returned 0x1 [0101.415] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadcer.dll") returned -1 [0101.415] lstrlenW (lpString="msadcer.dll") returned 11 [0101.415] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.415] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.415] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadcer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" [0101.415] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" [0101.415] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll id-Br3n0G72wUb8CejT.LyaS" [0101.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcer.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcer.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.444] FindNextFileW (in: hFindFile=0x10805608, lpFindFileData=0x1e61fd28 | out: lpFindFileData=0x1e61fd28) returned 1 [0101.445] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.445] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.445] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" [0101.445] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\how to restore files.hta")) returned 0x1 [0101.445] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msadco.dll") returned -1 [0101.445] lstrlenW (lpString="msadco.dll") returned 10 [0101.445] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0101.445] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0101.445] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadco.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" [0101.445] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" [0101.445] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll id-Br3n0G72wUb8CejT.LyaS" [0101.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadco.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadco.dll id-br3n0g72wub8cejt.lyas")) returned 0 Thread: id = 498 os_tid = 0xeb0 [0098.618] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*", lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 0x108053c8 [0098.768] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.768] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0098.768] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.768] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.769] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0098.769] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0098.769] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0098.769] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0100.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0100.811] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0100.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US" [0100.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0100.811] GlobalMemoryStatus (in: lpBuffer=0x1e75fd08 | out: lpBuffer=0x1e75fd08) [0100.812] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x5c88cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b0 [0100.812] CloseHandle (hObject=0x5b0) returned 1 [0100.812] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0100.813] lstrcpyW (in: lpString1=0x211508a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0100.813] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0100.813] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0100.813] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0xffffffff [0100.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0101.389] WriteFile (in: hFile=0x5a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x1e75fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e75fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0101.393] CloseHandle (hObject=0x5a0) returned 1 [0101.393] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.394] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdadc.dll") returned -1 [0101.394] lstrlenW (lpString="msdadc.dll") returned 10 [0101.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.394] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.394] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdadc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" [0101.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" [0101.394] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll id-Br3n0G72wUb8CejT.LyaS" [0101.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdadc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdadc.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.432] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.432] lstrcpyW (in: lpString1=0x8b40c98, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.433] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.433] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.433] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdaenum.dll") returned -1 [0101.433] lstrlenW (lpString="msdaenum.dll") returned 12 [0101.433] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.433] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaenum.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" [0101.433] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" [0101.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll id-Br3n0G72wUb8CejT.LyaS" [0101.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaenum.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaenum.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.434] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.434] lstrcpyW (in: lpString1=0x8b40c98, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.434] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.434] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.434] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdaer.dll") returned -1 [0101.434] lstrlenW (lpString="msdaer.dll") returned 10 [0101.434] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.435] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" [0101.435] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" [0101.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll id-Br3n0G72wUb8CejT.LyaS" [0101.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaer.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaer.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.435] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.435] lstrcpyW (in: lpString1=0x8b40c98, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.435] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.436] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.436] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdaora.dll") returned -1 [0101.436] lstrlenW (lpString="msdaora.dll") returned 11 [0101.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.436] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaora.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" [0101.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" [0101.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll id-Br3n0G72wUb8CejT.LyaS" [0101.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaora.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaora.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.462] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.462] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.463] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.464] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdaorar.dll") returned -1 [0101.464] lstrlenW (lpString="msdaorar.dll") returned 12 [0101.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.464] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaorar.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" [0101.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" [0101.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll id-Br3n0G72wUb8CejT.LyaS" [0101.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaorar.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaorar.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.465] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.465] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.465] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.465] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.465] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdaosp.dll") returned -1 [0101.466] lstrlenW (lpString="msdaosp.dll") returned 11 [0101.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.466] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaosp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" [0101.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" [0101.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll id-Br3n0G72wUb8CejT.LyaS" [0101.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaosp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaosp.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.502] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.502] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.503] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.503] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.503] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdaps.dll") returned -1 [0101.503] lstrlenW (lpString="msdaps.dll") returned 10 [0101.503] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.503] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" [0101.503] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" [0101.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll id-Br3n0G72wUb8CejT.LyaS" [0101.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaps.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaps.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.508] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.508] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.508] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.508] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdasc.dll") returned -1 [0101.508] lstrlenW (lpString="msdasc.dll") returned 10 [0101.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.508] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdasc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" [0101.509] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" [0101.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll id-Br3n0G72wUb8CejT.LyaS" [0101.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasc.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.509] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.509] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.509] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.509] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.509] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdasql.dll") returned -1 [0101.510] lstrlenW (lpString="msdasql.dll") returned 11 [0101.510] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.510] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.510] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdasql.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" [0101.510] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" [0101.512] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll id-Br3n0G72wUb8CejT.LyaS" [0101.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasql.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasql.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.512] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.512] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.512] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.512] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.512] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.512] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdasqlr.dll") returned -1 [0101.512] lstrlenW (lpString="msdasqlr.dll") returned 12 [0101.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.513] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdasqlr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" [0101.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" [0101.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll id-Br3n0G72wUb8CejT.LyaS" [0101.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasqlr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasqlr.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.513] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.513] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.514] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.514] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.514] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdatl3.dll") returned -1 [0101.514] lstrlenW (lpString="msdatl3.dll") returned 11 [0101.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.514] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdatl3.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" [0101.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" [0101.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll id-Br3n0G72wUb8CejT.LyaS" [0101.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatl3.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatl3.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.514] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.514] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.514] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.514] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.514] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdatt.dll") returned -1 [0101.515] lstrlenW (lpString="msdatt.dll") returned 10 [0101.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.515] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdatt.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" [0101.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" [0101.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll id-Br3n0G72wUb8CejT.LyaS" [0101.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatt.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.515] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.515] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.515] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.515] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.515] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msdaurl.dll") returned -1 [0101.515] lstrlenW (lpString="msdaurl.dll") returned 11 [0101.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.515] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaurl.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" [0101.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" [0101.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll id-Br3n0G72wUb8CejT.LyaS" [0101.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaurl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaurl.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.516] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.516] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.516] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msxactps.dll") returned -1 [0101.516] lstrlenW (lpString="msxactps.dll") returned 12 [0101.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msxactps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" [0101.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" [0101.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll id-Br3n0G72wUb8CejT.LyaS" [0101.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msxactps.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msxactps.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.516] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.516] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.516] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="oledb32.dll") returned -1 [0101.516] lstrlenW (lpString="oledb32.dll") returned 11 [0101.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.517] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="oledb32.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" [0101.517] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" [0101.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll id-Br3n0G72wUb8CejT.LyaS" [0101.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.517] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.517] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.517] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.517] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.517] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="oledb32r.dll") returned -1 [0101.517] lstrlenW (lpString="oledb32r.dll") returned 12 [0101.517] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.517] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="oledb32r.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" [0101.517] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" [0101.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll id-Br3n0G72wUb8CejT.LyaS" [0101.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32r.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32r.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.518] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.518] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.518] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.518] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.518] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="oledbjvs.inc") returned -1 [0101.518] lstrlenW (lpString="oledbjvs.inc") returned 12 [0101.518] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.518] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="oledbjvs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" [0101.518] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" [0101.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc id-Br3n0G72wUb8CejT.LyaS" [0101.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbjvs.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbjvs.inc id-br3n0g72wub8cejt.lyas")) returned 0 [0101.518] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.518] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.518] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.518] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.518] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="oledbvbs.inc") returned -1 [0101.518] lstrlenW (lpString="oledbvbs.inc") returned 12 [0101.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.519] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="oledbvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" [0101.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" [0101.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc id-Br3n0G72wUb8CejT.LyaS" [0101.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbvbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbvbs.inc id-br3n0g72wub8cejt.lyas")) returned 0 [0101.529] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.529] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.530] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.530] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqloledb.dll") returned -1 [0101.530] lstrlenW (lpString="sqloledb.dll") returned 12 [0101.530] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.530] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="sqloledb.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" [0101.530] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" [0101.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll id-Br3n0G72wUb8CejT.LyaS" [0101.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.531] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.531] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.531] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.531] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.531] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.531] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqloledb.rll") returned -1 [0101.531] lstrlenW (lpString="sqloledb.rll") returned 12 [0101.531] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.531] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.531] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="sqloledb.rll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" [0101.531] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" [0101.531] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll id-Br3n0G72wUb8CejT.LyaS" [0101.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.rll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.rll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.532] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.532] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.532] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.532] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.532] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.532] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqlxmlx.dll") returned -1 [0101.532] lstrlenW (lpString="sqlxmlx.dll") returned 11 [0101.532] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.532] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.532] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="sqlxmlx.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" [0101.532] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" [0101.532] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll id-Br3n0G72wUb8CejT.LyaS" [0101.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.533] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 1 [0101.533] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.533] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.533] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" [0101.533] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\how to restore files.hta")) returned 0x1 [0101.533] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="sqlxmlx.rll") returned -1 [0101.533] lstrlenW (lpString="sqlxmlx.rll") returned 11 [0101.533] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0101.533] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0101.533] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="sqlxmlx.rll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" [0101.533] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" [0101.533] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll id-Br3n0G72wUb8CejT.LyaS" [0101.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.rll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.rll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.534] FindNextFileW (in: hFindFile=0x108053c8, lpFindFileData=0x1e75fd28 | out: lpFindFileData=0x1e75fd28) returned 0 [0101.534] FindClose (in: hFindFile=0x108053c8 | out: hFindFile=0x108053c8) returned 1 Thread: id = 499 os_tid = 0xfc8 [0098.619] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x1e89fd28) Thread: id = 500 os_tid = 0xe88 [0098.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x1e9dfd28 | out: lpFindFileData=0x1e9dfd28) returned 0x10805908 [0098.620] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.620] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1e9dfd28 | out: lpFindFileData=0x1e9dfd28) returned 1 [0098.620] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.620] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.620] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1e9dfd28 | out: lpFindFileData=0x1e9dfd28) returned 1 [0098.624] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0098.625] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 79 [0098.625] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" [0098.625] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\how to restore files.hta")) returned 0x1 [0098.625] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0098.625] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1e9dfd28 | out: lpFindFileData=0x1e9dfd28) returned 1 [0098.625] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0098.625] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 79 [0098.625] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" [0098.625] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\how to restore files.hta")) returned 0x1 [0098.626] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.626] lstrlenW (lpString="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned 34 [0098.626] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.626] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1e9dfd28 | out: lpFindFileData=0x1e9dfd28) returned 1 [0098.626] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0098.626] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 79 [0098.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" [0098.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\how to restore files.hta")) returned 0x1 [0098.626] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.626] lstrlenW (lpString="vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS") returned 41 [0098.626] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.626] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1e9dfd28 | out: lpFindFileData=0x1e9dfd28) returned 0 [0098.626] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 501 os_tid = 0x318 [0098.628] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x1eb1fd28) Thread: id = 502 os_tid = 0x34c [0098.628] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x1ec5fd28 | out: lpFindFileData=0x1ec5fd28) returned 0x10805908 [0098.628] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.628] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ec5fd28 | out: lpFindFileData=0x1ec5fd28) returned 1 [0098.628] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.628] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ec5fd28 | out: lpFindFileData=0x1ec5fd28) returned 1 [0098.628] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0098.629] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 79 [0098.629] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" [0098.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\how to restore files.hta")) returned 0x1 [0098.629] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0098.629] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ec5fd28 | out: lpFindFileData=0x1ec5fd28) returned 1 [0098.629] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0098.629] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 79 [0098.629] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" [0098.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\how to restore files.hta")) returned 0x1 [0098.629] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.629] lstrlenW (lpString="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned 34 [0098.629] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.629] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ec5fd28 | out: lpFindFileData=0x1ec5fd28) returned 1 [0098.630] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0098.630] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 79 [0098.630] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" [0098.630] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\how to restore files.hta")) returned 0x1 [0098.630] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.630] lstrlenW (lpString="vcredist_x64.exe id-Br3n0G72wUb8CejT.LyaS") returned 41 [0098.630] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.630] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ec5fd28 | out: lpFindFileData=0x1ec5fd28) returned 0 [0098.630] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 503 os_tid = 0x338 [0098.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*", lpFindFileData=0x1ed9fd28 | out: lpFindFileData=0x1ed9fd28) returned 0x10805908 [0098.632] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.632] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ed9fd28 | out: lpFindFileData=0x1ed9fd28) returned 1 [0098.632] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.632] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.632] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ed9fd28 | out: lpFindFileData=0x1ed9fd28) returned 1 [0098.632] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0098.632] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned 79 [0098.632] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" [0098.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\how to restore files.hta")) returned 0x1 [0098.633] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0098.633] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ed9fd28 | out: lpFindFileData=0x1ed9fd28) returned 1 [0098.633] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0098.633] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned 79 [0098.633] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" [0098.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\how to restore files.hta")) returned 0x1 [0098.633] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.633] lstrlenW (lpString="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned 34 [0098.633] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.633] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ed9fd28 | out: lpFindFileData=0x1ed9fd28) returned 1 [0098.633] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*" [0098.633] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\*.*") returned 79 [0098.633] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" [0098.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\\how to restore files.hta")) returned 0x1 [0098.634] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="VC_redist.x86.exe id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.634] lstrlenW (lpString="VC_redist.x86.exe id-Br3n0G72wUb8CejT.LyaS") returned 42 [0098.634] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.634] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ed9fd28 | out: lpFindFileData=0x1ed9fd28) returned 0 [0098.634] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 504 os_tid = 0x320 [0098.656] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x1eedfd28) Thread: id = 505 os_tid = 0xec4 [0098.656] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x1f01fd28) Thread: id = 506 os_tid = 0x5c0 [0098.656] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\\*.*", lpFindFileData=0x1f15fd28) Thread: id = 507 os_tid = 0xe0c [0098.657] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x1f29fd28) Thread: id = 508 os_tid = 0xe50 [0098.657] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x1f3dfd28) Thread: id = 509 os_tid = 0x764 [0098.658] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x1f51fd28) Thread: id = 510 os_tid = 0x790 [0098.658] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\\*.*", lpFindFileData=0x1f65fd28) Thread: id = 511 os_tid = 0xe14 [0098.658] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x1f79fd28) Thread: id = 512 os_tid = 0xde4 [0098.659] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x1f8dfd28) Thread: id = 513 os_tid = 0xdf8 [0098.660] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x1fa1fd28) Thread: id = 514 os_tid = 0xe70 [0098.660] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x1fb5fd28 | out: lpFindFileData=0x1fb5fd28) returned 0x10805908 [0098.661] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.661] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fb5fd28 | out: lpFindFileData=0x1fb5fd28) returned 1 [0098.661] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.661] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.661] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fb5fd28 | out: lpFindFileData=0x1fb5fd28) returned 1 [0098.661] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0098.661] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 79 [0098.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" [0098.661] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\how to restore files.hta")) returned 0x1 [0098.661] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0098.661] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fb5fd28 | out: lpFindFileData=0x1fb5fd28) returned 1 [0098.662] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0098.662] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 79 [0098.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" [0098.662] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\how to restore files.hta")) returned 0x1 [0098.662] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.662] lstrlenW (lpString="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned 34 [0098.662] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.662] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fb5fd28 | out: lpFindFileData=0x1fb5fd28) returned 1 [0098.662] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0098.662] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 79 [0098.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" [0098.662] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\how to restore files.hta")) returned 0x1 [0098.663] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="VC_redist.x64.exe id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.663] lstrlenW (lpString="VC_redist.x64.exe id-Br3n0G72wUb8CejT.LyaS") returned 42 [0098.663] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.663] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fb5fd28 | out: lpFindFileData=0x1fb5fd28) returned 0 [0098.663] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 515 os_tid = 0xa3c [0098.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x1fc9fd28 | out: lpFindFileData=0x1fc9fd28) returned 0x10805908 [0098.665] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.665] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fc9fd28 | out: lpFindFileData=0x1fc9fd28) returned 1 [0098.665] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.665] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.665] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fc9fd28 | out: lpFindFileData=0x1fc9fd28) returned 1 [0098.665] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0098.665] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 79 [0098.665] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" [0098.665] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\how to restore files.hta")) returned 0x1 [0098.666] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0098.666] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fc9fd28 | out: lpFindFileData=0x1fc9fd28) returned 1 [0098.666] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0098.666] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 79 [0098.666] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" [0098.666] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\how to restore files.hta")) returned 0x1 [0098.667] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.667] lstrlenW (lpString="state.rsm id-Br3n0G72wUb8CejT.LyaS") returned 34 [0098.667] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.667] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fc9fd28 | out: lpFindFileData=0x1fc9fd28) returned 1 [0098.667] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0098.667] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 79 [0098.667] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" [0098.667] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\how to restore files.hta")) returned 0x1 [0098.667] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS") returned -1 [0098.667] lstrlenW (lpString="vcredist_x86.exe id-Br3n0G72wUb8CejT.LyaS") returned 41 [0098.667] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0098.667] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1fc9fd28 | out: lpFindFileData=0x1fc9fd28) returned 0 [0098.667] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 516 os_tid = 0xdf0 [0098.669] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x1fddfd28) Thread: id = 517 os_tid = 0x1f4 [0098.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*", lpFindFileData=0x1ff1fd28 | out: lpFindFileData=0x1ff1fd28) returned 0x10805908 [0098.669] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.670] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ff1fd28 | out: lpFindFileData=0x1ff1fd28) returned 1 [0098.670] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.670] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.670] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ff1fd28 | out: lpFindFileData=0x1ff1fd28) returned 1 [0098.670] lstrcmpW (lpString1=".", lpString2=".oracle_jre_usage") returned -1 [0098.670] lstrcmpW (lpString1="..", lpString2=".oracle_jre_usage") returned -1 [0098.670] lstrcmpiW (lpString1="windows", lpString2=".oracle_jre_usage") returned 1 [0098.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" [0098.670] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned 38 [0098.670] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\", lpString2=".oracle_jre_usage" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage" [0098.670] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*" [0098.670] GlobalMemoryStatus (in: lpBuffer=0x1ff1fd08 | out: lpBuffer=0x1ff1fd08) [0098.670] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1105ea70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.671] CloseHandle (hObject=0x4d4) returned 1 [0098.671] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ff1fd28 | out: lpFindFileData=0x1ff1fd28) returned 1 [0098.671] lstrcmpW (lpString1=".", lpString2="installcache_x64") returned -1 [0098.671] lstrcmpW (lpString1="..", lpString2="installcache_x64") returned -1 [0098.672] lstrcmpiW (lpString1="windows", lpString2="installcache_x64") returned 1 [0098.672] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" [0098.672] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned 38 [0098.672] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\", lpString2="installcache_x64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64" [0098.672] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*" [0098.672] GlobalMemoryStatus (in: lpBuffer=0x1ff1fd08 | out: lpBuffer=0x1ff1fd08) [0098.672] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106e05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.673] CloseHandle (hObject=0x4d4) returned 1 [0098.673] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ff1fd28 | out: lpFindFileData=0x1ff1fd28) returned 1 [0098.673] lstrcmpW (lpString1=".", lpString2="javapath") returned -1 [0098.673] lstrcmpW (lpString1="..", lpString2="javapath") returned -1 [0098.673] lstrcmpiW (lpString1="windows", lpString2="javapath") returned 1 [0098.673] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" [0098.673] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned 38 [0098.673] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\", lpString2="javapath" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath" [0098.674] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\*.*" [0098.674] GlobalMemoryStatus (in: lpBuffer=0x1ff1fd08 | out: lpBuffer=0x1ff1fd08) [0098.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106b0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.675] CloseHandle (hObject=0x4d4) returned 1 [0098.675] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ff1fd28 | out: lpFindFileData=0x1ff1fd28) returned 1 [0098.675] lstrcmpW (lpString1=".", lpString2="javapath_target_5923062") returned -1 [0098.675] lstrcmpW (lpString1="..", lpString2="javapath_target_5923062") returned -1 [0098.675] lstrcmpiW (lpString1="windows", lpString2="javapath_target_5923062") returned 1 [0098.675] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*" [0098.675] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*.*") returned 38 [0098.675] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\", lpString2="javapath_target_5923062" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_5923062") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_5923062" [0098.675] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_5923062", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_5923062\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_5923062\\*.*" [0098.675] GlobalMemoryStatus (in: lpBuffer=0x1ff1fd08 | out: lpBuffer=0x1ff1fd08) [0098.675] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f49df8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.676] CloseHandle (hObject=0x4d4) returned 1 [0098.676] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x1ff1fd28 | out: lpFindFileData=0x1ff1fd28) returned 0 [0098.676] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 518 os_tid = 0xe8c [0098.678] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*", lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 0x10805908 [0098.678] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.678] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.678] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.678] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.678] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.678] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.678] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\How To Restore Files.hta" [0098.678] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\how to restore files.hta")) returned 0x1 [0098.678] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="countrytable.xml") returned 1 [0098.678] lstrlenW (lpString="countrytable.xml") returned 16 [0098.678] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.679] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.679] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="countrytable.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml" [0098.679] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml" [0098.679] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml id-Br3n0G72wUb8CejT.LyaS" [0098.679] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0098.679] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.679] lstrcpyW (in: lpString1=0x8d81640, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.679] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.679] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\How To Restore Files.hta" [0098.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\how to restore files.hta")) returned 0x1 [0098.680] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0098.680] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.680] lstrcmpW (lpString1=".", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned -1 [0098.680] lstrcmpW (lpString1="..", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned -1 [0098.680] lstrcmpiW (lpString1="windows", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned 1 [0098.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.680] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.680] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" [0098.680] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*" [0098.680] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0098.680] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8880118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.681] CloseHandle (hObject=0x4d4) returned 1 [0098.682] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.682] lstrcmpW (lpString1=".", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}") returned -1 [0098.682] lstrcmpW (lpString1="..", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}") returned -1 [0098.682] lstrcmpiW (lpString1="windows", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}") returned 1 [0098.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.682] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" [0098.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*" [0098.682] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0098.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11393848, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.685] CloseHandle (hObject=0x4d4) returned 1 [0098.685] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.685] lstrcmpW (lpString1=".", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}") returned -1 [0098.685] lstrcmpW (lpString1="..", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}") returned -1 [0098.685] lstrcmpiW (lpString1="windows", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}") returned 1 [0098.685] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.685] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" [0098.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*" [0098.685] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0098.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x113ab8b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.686] CloseHandle (hObject=0x4d4) returned 1 [0098.686] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.686] lstrcmpW (lpString1=".", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned -1 [0098.686] lstrcmpW (lpString1="..", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned -1 [0098.686] lstrcmpiW (lpString1="windows", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned 1 [0098.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.692] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" [0098.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*" [0098.692] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0098.693] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21812590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.693] CloseHandle (hObject=0x4d4) returned 1 [0098.694] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.694] lstrcmpW (lpString1=".", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned -1 [0098.694] lstrcmpW (lpString1="..", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned -1 [0098.694] lstrcmpiW (lpString1="windows", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned 1 [0098.700] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.700] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.700] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" [0098.700] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*" [0098.700] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0098.700] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2182a5f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.701] CloseHandle (hObject=0x4d4) returned 1 [0098.701] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.702] lstrcmpW (lpString1=".", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned -1 [0098.702] lstrcmpW (lpString1="..", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned -1 [0098.702] lstrcmpiW (lpString1="windows", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned 1 [0098.707] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0098.707] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0098.707] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" [0098.707] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*" [0098.707] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0098.707] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21842660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4d4 [0098.708] CloseHandle (hObject=0x4d4) returned 1 [0098.709] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0098.709] lstrcmpW (lpString1=".", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}") returned -1 [0098.709] lstrcmpW (lpString1="..", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}") returned -1 [0098.709] lstrcmpiW (lpString1="windows", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}") returned 1 [0100.869] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0100.869] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0100.869] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" [0100.869] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*" [0100.869] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0100.869] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x2185a6c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0100.870] CloseHandle (hObject=0x5b4) returned 1 [0100.870] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0100.870] lstrcmpW (lpString1=".", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned -1 [0100.870] lstrcmpW (lpString1="..", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned -1 [0100.871] lstrcmpiW (lpString1="windows", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned 1 [0100.871] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0100.871] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0100.871] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" [0100.871] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*" [0100.871] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0100.871] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1140ba50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0100.872] CloseHandle (hObject=0x5b4) returned 1 [0100.872] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0100.872] lstrcmpW (lpString1=".", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned -1 [0100.872] lstrcmpW (lpString1="..", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned -1 [0100.872] lstrcmpiW (lpString1="windows", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned 1 [0100.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0100.872] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0100.872] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" [0100.872] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*" [0100.872] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0100.872] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1143bb20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0100.873] CloseHandle (hObject=0x5b4) returned 1 [0100.873] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0100.873] lstrcmpW (lpString1=".", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned -1 [0100.873] lstrcmpW (lpString1="..", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned -1 [0100.873] lstrcmpiW (lpString1="windows", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned 1 [0100.878] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0100.878] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0100.878] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" [0100.878] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*" [0100.878] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0100.878] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1afc01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0100.879] CloseHandle (hObject=0x5b4) returned 1 [0100.879] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0100.879] lstrcmpW (lpString1=".", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned -1 [0100.879] lstrcmpW (lpString1="..", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned -1 [0100.879] lstrcmpiW (lpString1="windows", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned 1 [0100.884] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0100.884] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0100.884] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" [0100.884] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*" [0100.885] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0100.885] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1afd8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0100.886] CloseHandle (hObject=0x5b4) returned 1 [0100.886] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0100.886] lstrcmpW (lpString1=".", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned -1 [0100.886] lstrcmpW (lpString1="..", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned -1 [0100.886] lstrcmpiW (lpString1="windows", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned 1 [0100.890] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0100.890] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0100.890] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" [0100.890] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*" [0100.890] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0100.890] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1aff02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0100.891] CloseHandle (hObject=0x5b4) returned 1 [0100.891] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 1 [0100.891] lstrcmpW (lpString1=".", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned -1 [0100.892] lstrcmpW (lpString1="..", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned -1 [0100.892] lstrcmpiW (lpString1="windows", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned 1 [0100.896] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" [0100.896] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 49 [0100.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" [0100.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*" [0100.896] GlobalMemoryStatus (in: lpBuffer=0x2005fd08 | out: lpBuffer=0x2005fd08) [0100.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1b008320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b4 [0100.897] CloseHandle (hObject=0x5b4) returned 1 [0100.897] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x2005fd28 | out: lpFindFileData=0x2005fd28) returned 0 [0100.897] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 519 os_tid = 0x434 [0098.714] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*", lpFindFileData=0x2019fd28) Thread: id = 520 os_tid = 0xe54 [0098.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*", lpFindFileData=0x202dfd28 | out: lpFindFileData=0x202dfd28) returned 0x10805288 [0098.715] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.715] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x202dfd28 | out: lpFindFileData=0x202dfd28) returned 1 [0098.715] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.715] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.715] FindNextFileW (in: hFindFile=0x10805288, lpFindFileData=0x202dfd28 | out: lpFindFileData=0x202dfd28) returned 0 [0098.715] FindClose (in: hFindFile=0x10805288 | out: hFindFile=0x10805288) returned 1 Thread: id = 521 os_tid = 0x858 [0098.716] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*", lpFindFileData=0x2041fd28) Thread: id = 522 os_tid = 0x954 [0098.716] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*", lpFindFileData=0x2055fd28 | out: lpFindFileData=0x2055fd28) returned 0x5c8dd0 [0100.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.865] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x2055fd28 | out: lpFindFileData=0x2055fd28) returned 1 [0100.865] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.865] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x2055fd28 | out: lpFindFileData=0x2055fd28) returned 1 [0100.865] lstrcmpW (lpString1=".", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204") returned -1 [0100.865] lstrcmpW (lpString1="..", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204") returned -1 [0100.865] lstrcmpiW (lpString1="windows", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204") returned 1 [0100.865] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*" [0100.865] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned 42 [0100.865] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" [0100.865] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*" [0100.865] GlobalMemoryStatus (in: lpBuffer=0x2055fd08 | out: lpBuffer=0x2055fd08) [0100.865] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11423ab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.866] CloseHandle (hObject=0x4b4) returned 1 [0100.866] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x2055fd28 | out: lpFindFileData=0x2055fd28) returned 0 [0100.867] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 523 os_tid = 0x628 [0098.716] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\*.*", lpFindFileData=0x2069fd28 | out: lpFindFileData=0x2069fd28) returned 0x5c8dd0 [0100.864] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.864] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x2069fd28 | out: lpFindFileData=0x2069fd28) returned 1 [0100.864] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.864] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.864] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x2069fd28 | out: lpFindFileData=0x2069fd28) returned 0 [0100.864] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 524 os_tid = 0xa38 [0098.717] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*", lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 0x108052c8 [0098.718] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.718] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0098.718] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.718] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.718] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0098.718] lstrcmpW (lpString1=".", lpString2="Clean Store") returned -1 [0098.718] lstrcmpW (lpString1="..", lpString2="Clean Store") returned -1 [0098.718] lstrcmpiW (lpString1="windows", lpString2="Clean Store") returned 1 [0100.817] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0100.817] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0100.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Clean Store" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store" [0100.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\*.*" [0100.817] GlobalMemoryStatus (in: lpBuffer=0x207dfd08 | out: lpBuffer=0x207dfd08) [0100.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11453b88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.818] CloseHandle (hObject=0x4b4) returned 1 [0100.818] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0100.818] lstrcmpW (lpString1=".", lpString2="Definition Updates") returned -1 [0100.818] lstrcmpW (lpString1="..", lpString2="Definition Updates") returned -1 [0100.818] lstrcmpiW (lpString1="windows", lpString2="Definition Updates") returned 1 [0100.819] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0100.819] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0100.819] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Definition Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" [0100.819] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0100.819] GlobalMemoryStatus (in: lpBuffer=0x207dfd08 | out: lpBuffer=0x207dfd08) [0100.819] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11046a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.820] CloseHandle (hObject=0x4b4) returned 1 [0100.820] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0100.820] lstrcmpW (lpString1=".", lpString2="Features") returned -1 [0100.820] lstrcmpW (lpString1="..", lpString2="Features") returned -1 [0100.820] lstrcmpiW (lpString1="windows", lpString2="Features") returned 1 [0100.825] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0100.825] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0100.825] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Features" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features" [0100.825] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\*.*" [0100.825] GlobalMemoryStatus (in: lpBuffer=0x207dfd08 | out: lpBuffer=0x207dfd08) [0100.826] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21cdb868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.826] CloseHandle (hObject=0x4b4) returned 1 [0100.827] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0100.827] lstrcmpW (lpString1=".", lpString2="LocalCopy") returned -1 [0100.827] lstrcmpW (lpString1="..", lpString2="LocalCopy") returned -1 [0100.827] lstrcmpiW (lpString1="windows", lpString2="LocalCopy") returned 1 [0100.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0100.831] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0100.831] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="LocalCopy" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" [0100.832] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*" [0100.832] GlobalMemoryStatus (in: lpBuffer=0x207dfd08 | out: lpBuffer=0x207dfd08) [0100.832] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21cf38d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.833] CloseHandle (hObject=0x4b4) returned 1 [0100.833] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0100.833] lstrcmpW (lpString1=".", lpString2="Network Inspection System") returned -1 [0100.833] lstrcmpW (lpString1="..", lpString2="Network Inspection System") returned -1 [0100.833] lstrcmpiW (lpString1="windows", lpString2="Network Inspection System") returned 1 [0100.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0100.842] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0100.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Network Inspection System" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System" [0100.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\*.*" [0100.842] GlobalMemoryStatus (in: lpBuffer=0x207dfd08 | out: lpBuffer=0x207dfd08) [0100.843] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1af60048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.844] CloseHandle (hObject=0x4b4) returned 1 [0100.844] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0100.844] lstrcmpW (lpString1=".", lpString2="Quarantine") returned -1 [0100.844] lstrcmpW (lpString1="..", lpString2="Quarantine") returned -1 [0100.844] lstrcmpiW (lpString1="windows", lpString2="Quarantine") returned 1 [0100.848] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0100.848] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0100.848] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Quarantine" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" [0100.849] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*" [0100.849] GlobalMemoryStatus (in: lpBuffer=0x207dfd08 | out: lpBuffer=0x207dfd08) [0100.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1af780b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.850] CloseHandle (hObject=0x4b4) returned 1 [0100.850] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0100.850] lstrcmpW (lpString1=".", lpString2="Scans") returned -1 [0100.850] lstrcmpW (lpString1="..", lpString2="Scans") returned -1 [0100.850] lstrcmpiW (lpString1="windows", lpString2="Scans") returned 1 [0100.855] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0100.855] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0100.855] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Scans" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" [0100.855] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*" [0100.855] GlobalMemoryStatus (in: lpBuffer=0x207dfd08 | out: lpBuffer=0x207dfd08) [0100.855] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1af90118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.856] CloseHandle (hObject=0x4b4) returned 1 [0100.856] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 1 [0100.856] lstrcmpW (lpString1=".", lpString2="Support") returned -1 [0100.856] lstrcmpW (lpString1="..", lpString2="Support") returned -1 [0100.856] lstrcmpiW (lpString1="windows", lpString2="Support") returned 1 [0100.860] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0100.860] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0100.860] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Support" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" [0100.860] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*" [0100.861] GlobalMemoryStatus (in: lpBuffer=0x207dfd08 | out: lpBuffer=0x207dfd08) [0100.861] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x1afa8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b4 [0100.862] CloseHandle (hObject=0x4b4) returned 1 [0100.862] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x207dfd28 | out: lpFindFileData=0x207dfd28) returned 0 [0100.862] FindClose (in: hFindFile=0x108052c8 | out: hFindFile=0x108052c8) returned 1 Thread: id = 525 os_tid = 0x418 [0098.718] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*", lpFindFileData=0x2091fd28 | out: lpFindFileData=0x2091fd28) returned 0x10805308 [0098.719] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.719] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2091fd28 | out: lpFindFileData=0x2091fd28) returned 1 [0098.719] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.719] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.719] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2091fd28 | out: lpFindFileData=0x2091fd28) returned 1 [0100.816] lstrcpyW (in: lpString1=0x21cdb868, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*" [0100.816] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned 49 [0100.816] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\How To Restore Files.hta" [0100.816] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\windows live\\how to restore files.hta")) returned 0x1 [0100.816] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0100.816] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2091fd28 | out: lpFindFileData=0x2091fd28) returned 1 [0100.816] lstrcpyW (in: lpString1=0x21cdb868, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*" [0100.816] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned 49 [0100.816] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\How To Restore Files.hta" [0100.817] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\windows live\\how to restore files.hta")) returned 0x1 [0100.817] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="WLive48x48.png id-Br3n0G72wUb8CejT.LyaS") returned -1 [0100.817] lstrlenW (lpString="WLive48x48.png id-Br3n0G72wUb8CejT.LyaS") returned 39 [0100.817] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0100.817] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2091fd28 | out: lpFindFileData=0x2091fd28) returned 0 [0100.817] FindClose (in: hFindFile=0x10805308 | out: hFindFile=0x10805308) returned 1 Thread: id = 526 os_tid = 0xac4 [0098.719] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*", lpFindFileData=0x20a5fd28) Thread: id = 527 os_tid = 0x838 [0098.750] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*", lpFindFileData=0x20b5fd28) Thread: id = 528 os_tid = 0x8cc [0098.750] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*", lpFindFileData=0x20c5fd28) Thread: id = 529 os_tid = 0xa84 [0098.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpFindFileData=0x20d5fd28 | out: lpFindFileData=0x20d5fd28) returned 0x5c8e90 [0101.018] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.018] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x20d5fd28 | out: lpFindFileData=0x20d5fd28) returned 1 [0101.018] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.018] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.018] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x20d5fd28 | out: lpFindFileData=0x20d5fd28) returned 1 [0101.018] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0101.018] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0101.018] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0101.018] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0101.018] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 89 [0101.018] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0101.018] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" [0101.018] GlobalMemoryStatus (in: lpBuffer=0x20d5fd08 | out: lpBuffer=0x20d5fd08) [0101.018] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10f26528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x60c [0101.019] CloseHandle (hObject=0x60c) returned 1 [0101.019] FindNextFileW (in: hFindFile=0x5c8e90, lpFindFileData=0x20d5fd28 | out: lpFindFileData=0x20d5fd28) returned 1 [0101.019] lstrcpyW (in: lpString1=0x21148898, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0101.019] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 89 [0101.019] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\How To Restore Files.hta" [0101.019] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\how to restore files.hta")) returned 0xffffffff [0101.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 530 os_tid = 0x2e0 [0098.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpFindFileData=0x21e2fd28 | out: lpFindFileData=0x21e2fd28) returned 0x10805548 [0098.849] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.850] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x21e2fd28 | out: lpFindFileData=0x21e2fd28) returned 1 [0098.850] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.850] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.850] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x21e2fd28 | out: lpFindFileData=0x21e2fd28) returned 1 [0098.850] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0098.850] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0098.850] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0100.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0100.772] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 89 [0100.772] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0100.772] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" [0100.772] GlobalMemoryStatus (in: lpBuffer=0x21e2fd08 | out: lpBuffer=0x21e2fd08) [0100.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10e4e180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x418 [0100.773] CloseHandle (hObject=0x418) returned 1 [0100.773] FindNextFileW (in: hFindFile=0x10805548, lpFindFileData=0x21e2fd28 | out: lpFindFileData=0x21e2fd28) returned 1 [0100.773] lstrcpyW (in: lpString1=0x3e24360, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0100.773] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 89 [0100.773] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\How To Restore Files.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\How To Restore Files.hta" [0100.773] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\how to restore files.hta")) returned 0xffffffff [0100.773] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\How To Restore Files.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 531 os_tid = 0x53c [0098.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*", lpFindFileData=0x21f6fd28 | out: lpFindFileData=0x21f6fd28) returned 0x10805408 [0098.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.769] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x21f6fd28 | out: lpFindFileData=0x21f6fd28) returned 1 [0098.769] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.770] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x21f6fd28 | out: lpFindFileData=0x21f6fd28) returned 0 [0098.770] FindClose (in: hFindFile=0x10805408 | out: hFindFile=0x10805408) returned 1 Thread: id = 532 os_tid = 0x7a4 [0098.752] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*", lpFindFileData=0x220afd28) Thread: id = 533 os_tid = 0xc34 [0098.752] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*", lpFindFileData=0x221efd28) Thread: id = 534 os_tid = 0x568 [0098.752] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*", lpFindFileData=0x2232fd28) Thread: id = 535 os_tid = 0x6cc [0098.753] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*", lpFindFileData=0x2246fd28) Thread: id = 536 os_tid = 0x8a0 [0098.753] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*", lpFindFileData=0x225afd28) Thread: id = 537 os_tid = 0x69c [0098.753] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*", lpFindFileData=0x226efd28) Thread: id = 538 os_tid = 0x5f4 [0098.754] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*", lpFindFileData=0x2282fd28) Thread: id = 539 os_tid = 0xa64 [0098.754] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*", lpFindFileData=0x2296fd28) Thread: id = 540 os_tid = 0xa54 [0098.754] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*", lpFindFileData=0x22aafd28) Thread: id = 541 os_tid = 0x85c [0098.755] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*.*", lpFindFileData=0x22befd28) Thread: id = 542 os_tid = 0xae8 [0098.755] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*.*", lpFindFileData=0x22d2fd28) Thread: id = 543 os_tid = 0xc6c [0098.758] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*.*", lpFindFileData=0x22e6fd28) Thread: id = 544 os_tid = 0x7c4 [0098.759] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*", lpFindFileData=0x22fafd28) Thread: id = 545 os_tid = 0xca0 [0098.759] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\en-us.16\\*.*", lpFindFileData=0x230efd28) Thread: id = 546 os_tid = 0xca4 [0098.760] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\x-none.16\\*.*", lpFindFileData=0x2322fd28) Thread: id = 547 os_tid = 0xcac [0098.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*.*", lpFindFileData=0x2336fd28 | out: lpFindFileData=0x2336fd28) returned 0x2c9e9c8 [0098.857] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.857] FindNextFileW (in: hFindFile=0x2c9e9c8, lpFindFileData=0x2336fd28 | out: lpFindFileData=0x2336fd28) returned 1 [0098.857] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.857] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.857] FindNextFileW (in: hFindFile=0x2c9e9c8, lpFindFileData=0x2336fd28 | out: lpFindFileData=0x2336fd28) returned 0 [0098.857] FindClose (in: hFindFile=0x2c9e9c8 | out: hFindFile=0x2c9e9c8) returned 1 Thread: id = 548 os_tid = 0x7b8 [0098.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\*.*", lpFindFileData=0x234afd28 | out: lpFindFileData=0x234afd28) returned 0x10805888 [0098.854] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.854] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x234afd28 | out: lpFindFileData=0x234afd28) returned 1 [0098.854] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.854] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.854] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x234afd28 | out: lpFindFileData=0x234afd28) returned 1 [0098.854] lstrcmpW (lpString1=".", lpString2="Linguistics") returned -1 [0098.854] lstrcmpW (lpString1="..", lpString2="Linguistics") returned -1 [0098.854] lstrcmpiW (lpString1="windows", lpString2="Linguistics") returned 1 [0100.767] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\*.*" [0100.767] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\*.*") returned 59 [0100.767] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\", lpString2="Linguistics" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\Linguistics") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\Linguistics" [0100.767] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\Linguistics", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\Linguistics\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Reader\\DC\\Linguistics\\*.*" [0100.767] GlobalMemoryStatus (in: lpBuffer=0x234afd08 | out: lpBuffer=0x234afd08) [0100.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10eae320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0100.768] CloseHandle (hObject=0x46c) returned 1 [0100.768] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x234afd28 | out: lpFindFileData=0x234afd28) returned 0 [0100.768] FindClose (in: hFindFile=0x10805888 | out: hFindFile=0x10805888) returned 1 Thread: id = 549 os_tid = 0x6e8 [0098.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*", lpFindFileData=0x235efd28 | out: lpFindFileData=0x235efd28) returned 0x10805448 [0098.805] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.805] FindNextFileW (in: hFindFile=0x10805448, lpFindFileData=0x235efd28 | out: lpFindFileData=0x235efd28) returned 1 [0098.805] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.805] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.805] FindNextFileW (in: hFindFile=0x10805448, lpFindFileData=0x235efd28 | out: lpFindFileData=0x235efd28) returned 1 [0100.803] lstrcpyW (in: lpString1=0x211508a0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*" [0100.803] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned 52 [0100.803] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta" [0100.803] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\how to restore files.hta")) returned 0x1 [0100.803] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0100.804] FindNextFileW (in: hFindFile=0x10805448, lpFindFileData=0x235efd28 | out: lpFindFileData=0x235efd28) returned 1 [0100.804] lstrcpyW (in: lpString1=0x211508a0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*" [0100.804] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned 52 [0100.804] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta" [0100.804] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\how to restore files.hta")) returned 0x1 [0100.804] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS") returned -1 [0100.804] lstrlenW (lpString="ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS") returned 43 [0100.804] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0100.804] FindNextFileW (in: hFindFile=0x10805448, lpFindFileData=0x235efd28 | out: lpFindFileData=0x235efd28) returned 0 [0100.804] FindClose (in: hFindFile=0x10805448 | out: hFindFile=0x10805448) returned 1 Thread: id = 550 os_tid = 0xa6c [0098.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*", lpFindFileData=0x2372fd28 | out: lpFindFileData=0x2372fd28) returned 0x108054c8 [0098.805] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.805] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2372fd28 | out: lpFindFileData=0x2372fd28) returned 1 [0098.805] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.805] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.806] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2372fd28 | out: lpFindFileData=0x2372fd28) returned 1 [0100.800] lstrcpyW (in: lpString1=0x211508a0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" [0100.800] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned 59 [0100.801] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta" [0100.801] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\how to restore files.hta")) returned 0x1 [0100.801] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0100.801] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2372fd28 | out: lpFindFileData=0x2372fd28) returned 1 [0100.801] lstrcpyW (in: lpString1=0x211508a0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" [0100.801] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned 59 [0100.801] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta" [0100.801] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\how to restore files.hta")) returned 0x1 [0100.801] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS") returned -1 [0100.801] lstrlenW (lpString="ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS") returned 43 [0100.801] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0100.801] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2372fd28 | out: lpFindFileData=0x2372fd28) returned 1 [0100.801] lstrcmpW (lpString1=".", lpString2="temp") returned -1 [0100.801] lstrcmpW (lpString1="..", lpString2="temp") returned -1 [0100.801] lstrcmpiW (lpString1="windows", lpString2="temp") returned 1 [0100.801] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" [0100.801] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned 59 [0100.802] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\", lpString2="temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp" [0100.802] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*" [0100.802] GlobalMemoryStatus (in: lpBuffer=0x2372fd08 | out: lpBuffer=0x2372fd08) [0100.802] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x214394e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0100.803] CloseHandle (hObject=0x304) returned 1 [0100.803] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2372fd28 | out: lpFindFileData=0x2372fd28) returned 0 [0100.803] FindClose (in: hFindFile=0x108054c8 | out: hFindFile=0x108054c8) returned 1 Thread: id = 551 os_tid = 0xa70 [0098.763] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*", lpFindFileData=0x2386fd28 | out: lpFindFileData=0x2386fd28) returned 0x5c8dd0 [0100.814] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.814] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x2386fd28 | out: lpFindFileData=0x2386fd28) returned 1 [0100.814] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.814] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.814] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x2386fd28 | out: lpFindFileData=0x2386fd28) returned 1 [0100.814] lstrcmpW (lpString1=".", lpString2="ApplicationViewsRootNode") returned -1 [0100.814] lstrcmpW (lpString1="..", lpString2="ApplicationViewsRootNode") returned -1 [0100.814] lstrcmpiW (lpString1="windows", lpString2="ApplicationViewsRootNode") returned 1 [0100.814] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*" [0100.814] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*") returned 55 [0100.814] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", lpString2="ApplicationViewsRootNode" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" [0100.814] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*" [0100.814] GlobalMemoryStatus (in: lpBuffer=0x2386fd08 | out: lpBuffer=0x2386fd08) [0100.814] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8f01cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4c0 [0100.815] CloseHandle (hObject=0x4c0) returned 1 [0100.815] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x2386fd28 | out: lpFindFileData=0x2386fd28) returned 0 [0100.815] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 552 os_tid = 0x414 Thread: id = 553 os_tid = 0xc9c Thread: id = 554 os_tid = 0x9ec Thread: id = 555 os_tid = 0x454 Thread: id = 556 os_tid = 0x278 Thread: id = 557 os_tid = 0x368 Thread: id = 558 os_tid = 0x78c Thread: id = 559 os_tid = 0x998 Thread: id = 560 os_tid = 0x7d4 Thread: id = 561 os_tid = 0x710 Thread: id = 562 os_tid = 0xf24 Thread: id = 563 os_tid = 0x8d0 Thread: id = 564 os_tid = 0x3a0 Thread: id = 565 os_tid = 0x87c Thread: id = 566 os_tid = 0x878 Thread: id = 567 os_tid = 0x388 Thread: id = 568 os_tid = 0xcb8 Thread: id = 569 os_tid = 0xb80 Thread: id = 570 os_tid = 0xea8 Thread: id = 571 os_tid = 0xf70 Thread: id = 572 os_tid = 0xf84 Thread: id = 573 os_tid = 0xfc0 Thread: id = 574 os_tid = 0xf80 Thread: id = 575 os_tid = 0xf6c Thread: id = 576 os_tid = 0xba0 Thread: id = 577 os_tid = 0xbb4 Thread: id = 578 os_tid = 0xfd4 Thread: id = 579 os_tid = 0xed8 Thread: id = 580 os_tid = 0xf9c Thread: id = 581 os_tid = 0xe5c Thread: id = 582 os_tid = 0xef4 Thread: id = 583 os_tid = 0xda0 Thread: id = 584 os_tid = 0x718 Thread: id = 585 os_tid = 0x264 Thread: id = 586 os_tid = 0x60c Thread: id = 587 os_tid = 0xf34 Thread: id = 588 os_tid = 0xf3c Thread: id = 589 os_tid = 0xf40 Thread: id = 590 os_tid = 0xf5c Thread: id = 591 os_tid = 0xf60 Thread: id = 592 os_tid = 0xf44 Thread: id = 593 os_tid = 0xf4c Thread: id = 594 os_tid = 0x1004 Thread: id = 595 os_tid = 0x1008 Thread: id = 596 os_tid = 0x100c Thread: id = 597 os_tid = 0x1010 Thread: id = 598 os_tid = 0x1014 Thread: id = 599 os_tid = 0x1018 Thread: id = 600 os_tid = 0x101c Thread: id = 601 os_tid = 0x1020 Thread: id = 602 os_tid = 0x1024 Thread: id = 603 os_tid = 0x1028 Thread: id = 604 os_tid = 0x102c Thread: id = 605 os_tid = 0x1030 Thread: id = 606 os_tid = 0x1034 [0098.839] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\*.*", lpFindFileData=0x27c6fd28) Thread: id = 607 os_tid = 0x1038 [0098.837] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x27d6fd28 | out: lpFindFileData=0x27d6fd28) returned 0x10805848 [0098.842] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.842] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x27d6fd28 | out: lpFindFileData=0x27d6fd28) returned 1 [0098.842] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.842] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.842] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x27d6fd28 | out: lpFindFileData=0x27d6fd28) returned 1 [0098.842] lstrcmpW (lpString1=".", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned -1 [0098.842] lstrcmpW (lpString1="..", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned -1 [0098.842] lstrcmpiW (lpString1="windows", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 1 [0100.776] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" [0100.776] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned 56 [0100.776] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0100.776] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0100.776] GlobalMemoryStatus (in: lpBuffer=0x27d6fd08 | out: lpBuffer=0x27d6fd08) [0100.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x59c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0100.777] CloseHandle (hObject=0x3f0) returned 1 [0100.777] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x27d6fd28 | out: lpFindFileData=0x27d6fd28) returned 1 [0100.777] lstrcmpW (lpString1=".", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned -1 [0100.777] lstrcmpW (lpString1="..", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned -1 [0100.777] lstrcmpiW (lpString1="windows", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 1 [0100.782] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" [0100.782] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned 56 [0100.782] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0100.782] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0100.782] GlobalMemoryStatus (in: lpBuffer=0x27d6fd08 | out: lpBuffer=0x27d6fd08) [0100.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21cab798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0100.783] CloseHandle (hObject=0x3f0) returned 1 [0100.783] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x27d6fd28 | out: lpFindFileData=0x27d6fd28) returned 0 [0100.783] FindClose (in: hFindFile=0x10805848 | out: hFindFile=0x10805848) returned 1 Thread: id = 608 os_tid = 0x103c [0098.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x27e6fd28 | out: lpFindFileData=0x27e6fd28) returned 0x10805808 [0098.841] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.841] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x27e6fd28 | out: lpFindFileData=0x27e6fd28) returned 1 [0098.841] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.841] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.841] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x27e6fd28 | out: lpFindFileData=0x27e6fd28) returned 1 [0098.841] lstrcmpW (lpString1=".", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned -1 [0098.841] lstrcmpW (lpString1="..", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned -1 [0098.841] lstrcmpiW (lpString1="windows", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 1 [0100.783] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" [0100.783] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned 54 [0100.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0100.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0100.783] GlobalMemoryStatus (in: lpBuffer=0x27e6fd08 | out: lpBuffer=0x27e6fd08) [0100.783] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d91650, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0100.784] CloseHandle (hObject=0x350) returned 1 [0100.784] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x27e6fd28 | out: lpFindFileData=0x27e6fd28) returned 1 [0100.784] lstrcmpW (lpString1=".", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned -1 [0100.784] lstrcmpW (lpString1="..", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned -1 [0100.784] lstrcmpiW (lpString1="windows", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 1 [0100.797] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" [0100.797] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned 54 [0100.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0100.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0100.797] GlobalMemoryStatus (in: lpBuffer=0x27e6fd08 | out: lpBuffer=0x27e6fd08) [0100.797] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21cc3800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0100.798] CloseHandle (hObject=0x350) returned 1 [0100.798] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x27e6fd28 | out: lpFindFileData=0x27e6fd28) returned 0 [0100.798] FindClose (in: hFindFile=0x10805808 | out: hFindFile=0x10805808) returned 1 Thread: id = 609 os_tid = 0x1040 [0098.832] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\9D76938C-943D-439F-A135-26D02821EE05\\*.*", lpFindFileData=0x27fafd28) Thread: id = 610 os_tid = 0x1044 [0098.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Ink\\HWRCustomization\\*.*", lpFindFileData=0x280efd28 | out: lpFindFileData=0x280efd28) returned 0x10805888 [0098.852] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.852] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x280efd28 | out: lpFindFileData=0x280efd28) returned 1 [0098.853] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.853] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x280efd28 | out: lpFindFileData=0x280efd28) returned 0 [0098.853] FindClose (in: hFindFile=0x10805888 | out: hFindFile=0x10805888) returned 1 Thread: id = 611 os_tid = 0x1048 [0098.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*.*", lpFindFileData=0x283bfd28 | out: lpFindFileData=0x283bfd28) returned 0x10805808 [0101.068] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.068] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x283bfd28 | out: lpFindFileData=0x283bfd28) returned 1 [0101.068] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.068] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.068] FindNextFileW (in: hFindFile=0x10805808, lpFindFileData=0x283bfd28 | out: lpFindFileData=0x283bfd28) returned 1 [0101.068] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*.*" [0101.069] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*.*") returned 45 [0101.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\How To Restore Files.hta" [0101.069] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\links\\how to restore files.hta")) returned 0xffffffff [0101.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\links\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 612 os_tid = 0x104c [0098.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*", lpFindFileData=0x284bfd28 | out: lpFindFileData=0x284bfd28) returned 0x5c8dd0 [0100.808] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.808] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x284bfd28 | out: lpFindFileData=0x284bfd28) returned 1 [0100.808] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.808] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.808] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x284bfd28 | out: lpFindFileData=0x284bfd28) returned 1 [0100.808] lstrcmpW (lpString1=".", lpString2="Catalog") returned -1 [0100.808] lstrcmpW (lpString1="..", lpString2="Catalog") returned -1 [0100.808] lstrcmpiW (lpString1="windows", lpString2="Catalog") returned 1 [0100.808] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*" [0100.808] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*") returned 55 [0100.808] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\", lpString2="Catalog" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog" [0100.808] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*" [0100.808] GlobalMemoryStatus (in: lpBuffer=0x284bfd08 | out: lpBuffer=0x284bfd08) [0100.808] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10c39888, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4c0 [0100.809] CloseHandle (hObject=0x4c0) returned 1 [0100.809] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x284bfd28 | out: lpFindFileData=0x284bfd28) returned 1 [0100.809] lstrcmpW (lpString1=".", lpString2="Integration") returned -1 [0100.809] lstrcmpW (lpString1="..", lpString2="Integration") returned -1 [0100.810] lstrcmpiW (lpString1="windows", lpString2="Integration") returned 1 [0100.810] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*" [0100.810] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*.*") returned 55 [0100.810] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\", lpString2="Integration" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration" [0100.810] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*" [0100.810] GlobalMemoryStatus (in: lpBuffer=0x284bfd08 | out: lpBuffer=0x284bfd08) [0100.810] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x210a0660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4c0 [0100.811] CloseHandle (hObject=0x4c0) returned 1 [0100.811] FindNextFileW (in: hFindFile=0x5c8dd0, lpFindFileData=0x284bfd28 | out: lpFindFileData=0x284bfd28) returned 0 [0100.811] FindClose (in: hFindFile=0x5c8dd0 | out: hFindFile=0x5c8dd0) returned 1 Thread: id = 613 os_tid = 0x1050 [0098.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*.*", lpFindFileData=0x285ffd28 | out: lpFindFileData=0x285ffd28) returned 0x10805408 [0098.787] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.787] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x285ffd28 | out: lpFindFileData=0x285ffd28) returned 1 [0098.787] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.787] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.787] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x285ffd28 | out: lpFindFileData=0x285ffd28) returned 1 [0098.787] lstrcmpW (lpString1=".", lpString2="46750A92-D768-415D-ABAC-A9B18903B159") returned -1 [0098.787] lstrcmpW (lpString1="..", lpString2="46750A92-D768-415D-ABAC-A9B18903B159") returned -1 [0098.787] lstrcmpiW (lpString1="windows", lpString2="46750A92-D768-415D-ABAC-A9B18903B159") returned 1 [0100.806] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*.*" [0100.806] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*.*") returned 59 [0100.806] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\", lpString2="46750A92-D768-415D-ABAC-A9B18903B159" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\46750A92-D768-415D-ABAC-A9B18903B159") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\46750A92-D768-415D-ABAC-A9B18903B159" [0100.806] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\46750A92-D768-415D-ABAC-A9B18903B159", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\46750A92-D768-415D-ABAC-A9B18903B159\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\46750A92-D768-415D-ABAC-A9B18903B159\\*.*" [0100.806] GlobalMemoryStatus (in: lpBuffer=0x285ffd08 | out: lpBuffer=0x285ffd08) [0100.806] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x210885f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4c0 [0100.807] CloseHandle (hObject=0x4c0) returned 1 [0100.807] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x285ffd28 | out: lpFindFileData=0x285ffd28) returned 0 [0100.807] FindClose (in: hFindFile=0x10805408 | out: hFindFile=0x10805408) returned 1 Thread: id = 614 os_tid = 0x1054 [0098.787] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*.*", lpFindFileData=0x2873fd28) Thread: id = 615 os_tid = 0x1058 [0098.787] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*", lpFindFileData=0x2887fd28) Thread: id = 616 os_tid = 0x105c [0098.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*", lpFindFileData=0x289bfd28 | out: lpFindFileData=0x289bfd28) returned 0x10805748 [0098.851] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.851] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x289bfd28 | out: lpFindFileData=0x289bfd28) returned 1 [0098.851] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.852] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.852] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x289bfd28 | out: lpFindFileData=0x289bfd28) returned 1 [0098.852] lstrcmpW (lpString1=".", lpString2="CMap") returned -1 [0098.852] lstrcmpW (lpString1="..", lpString2="CMap") returned -1 [0098.852] lstrcmpiW (lpString1="windows", lpString2="CMap") returned 1 [0100.768] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*" [0100.768] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*") returned 63 [0100.768] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\", lpString2="CMap" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\CMap") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\CMap" [0100.768] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\CMap", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\CMap\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\CMap\\*.*" [0100.768] GlobalMemoryStatus (in: lpBuffer=0x289bfd08 | out: lpBuffer=0x289bfd08) [0100.768] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21451550, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x418 [0100.769] CloseHandle (hObject=0x418) returned 1 [0100.769] FindNextFileW (in: hFindFile=0x10805748, lpFindFileData=0x289bfd28 | out: lpFindFileData=0x289bfd28) returned 1 [0100.769] lstrcpyW (in: lpString1=0x21190980, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*" [0100.769] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*") returned 63 [0100.769] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\How To Restore Files.hta" [0100.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\resource\\how to restore files.hta")) returned 0xffffffff [0100.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\resource\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0101.438] WriteFile (in: hFile=0x5a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x289bfcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x289bfcf0*=0x38e, lpOverlapped=0x0) returned 1 [0101.440] CloseHandle (hObject=0x5a0) returned 1 [0101.440] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.441] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="ENUtxt.pdf") returned 1 [0101.441] lstrlenW (lpString="ENUtxt.pdf") returned 10 [0101.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*" [0101.441] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\*.*") returned 63 [0101.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\", lpString2="ENUtxt.pdf" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf" [0101.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf" [0101.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf id-Br3n0G72wUb8CejT.LyaS" [0101.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\resource\\enutxt.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\resource\\enutxt.pdf id-br3n0g72wub8cejt.lyas")) returned 1 [0101.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\ENUtxt.pdf id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files (x86)\\adobe\\acrobat reader dc\\resource\\enutxt.pdf id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d4 [0101.470] CreateFileMappingA (hFile=0x4d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5a0 [0101.470] CryptAcquireContextA (in: phProv=0x289bfce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x289bfce4*=0x1083cb90) returned 1 [0101.471] CryptGenKey (in: hProv=0x1083cb90, Algid=0x6610, dwFlags=0x1, phKey=0x289bfce0 | out: phKey=0x289bfce0*=0x108055c8) returned 1 [0101.471] CryptExportKey (in: hKey=0x108055c8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x289bfbdc, pdwDataLen=0x289bfcdc | out: pbData=0x289bfbdc*, pdwDataLen=0x289bfcdc*=0x2c) returned 1 [0101.471] MapViewOfFile (hFileMappingObject=0x5a0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d80) Thread: id = 617 os_tid = 0x1060 [0098.789] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\*.*", lpFindFileData=0x28affd28 | out: lpFindFileData=0x28affd28) returned 0x10805508 [0098.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.848] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x28affd28 | out: lpFindFileData=0x28affd28) returned 1 [0098.848] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0098.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.849] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x28affd28 | out: lpFindFileData=0x28affd28) returned 1 [0098.849] lstrcmpW (lpString1=".", lpString2="{AC76BA86-7AD7-1033-7B44-AC0F074E4100}") returned -1 [0098.849] lstrcmpW (lpString1="..", lpString2="{AC76BA86-7AD7-1033-7B44-AC0F074E4100}") returned -1 [0098.849] lstrcmpiW (lpString1="windows", lpString2="{AC76BA86-7AD7-1033-7B44-AC0F074E4100}") returned 1 [0100.774] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\*.*" [0100.774] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\*.*") returned 66 [0100.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\", lpString2="{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" [0100.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\*.*" [0100.774] GlobalMemoryStatus (in: lpBuffer=0x28affd08 | out: lpBuffer=0x28affd08) [0100.774] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10fe6868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x418 [0100.775] CloseHandle (hObject=0x418) returned 1 [0100.775] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x28affd28 | out: lpFindFileData=0x28affd28) returned 0 [0100.775] FindClose (in: hFindFile=0x10805508 | out: hFindFile=0x10805508) returned 1 Thread: id = 618 os_tid = 0x1064 [0098.789] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppCS\\*.*", lpFindFileData=0x28cbfd28) Thread: id = 619 os_tid = 0x1068 [0098.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x28e2fd28 | out: lpFindFileData=0x28e2fd28) returned 0x108054c8 [0101.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.070] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x28e2fd28 | out: lpFindFileData=0x28e2fd28) returned 1 [0101.070] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.070] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x28e2fd28 | out: lpFindFileData=0x28e2fd28) returned 1 [0101.070] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.070] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 120 [0101.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.070] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.070] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.071] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x28e2fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28e2fcf0, lpOverlapped=0x0) returned 0 [0101.071] CloseHandle (hObject=0xffffffff) returned 1 [0101.071] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.071] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBundleManifest.xml") returned 1 [0101.071] lstrlenW (lpString="AppxBundleManifest.xml") returned 22 [0101.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.071] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 120 [0101.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0101.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowssoundrecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0101.114] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x28e2fd28 | out: lpFindFileData=0x28e2fd28) returned 0 [0101.114] FindClose (in: hFindFile=0x108054c8 | out: hFindFile=0x108054c8) returned 1 Thread: id = 620 os_tid = 0x106c [0098.795] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x28f6fd28) Thread: id = 621 os_tid = 0x1070 [0098.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x290afd28 | out: lpFindFileData=0x290afd28) returned 0x10805848 [0101.080] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.080] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x290afd28 | out: lpFindFileData=0x290afd28) returned 1 [0101.080] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.080] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.080] FindNextFileW (in: hFindFile=0x10805848, lpFindFileData=0x290afd28 | out: lpFindFileData=0x290afd28) returned 1 [0101.081] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 106 [0101.081] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.081] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.081] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.081] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x290afcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x290afcf0, lpOverlapped=0x0) returned 0 [0101.081] CloseHandle (hObject=0xffffffff) returned 1 [0101.081] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.082] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBundleManifest.xml") returned 1 [0101.082] lstrlenW (lpString="AppxBundleManifest.xml") returned 22 [0101.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 106 [0101.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0101.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.bingnews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml id-br3n0g72wub8cejt.lyas")) Thread: id = 622 os_tid = 0x1074 [0098.797] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x291efd28 | out: lpFindFileData=0x291efd28) returned 0x10805508 [0101.073] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.073] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x291efd28 | out: lpFindFileData=0x291efd28) returned 1 [0101.073] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.073] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.073] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x291efd28 | out: lpFindFileData=0x291efd28) returned 1 [0101.074] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 108 [0101.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.074] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.075] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x291efcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x291efcf0, lpOverlapped=0x0) returned 0 [0101.075] CloseHandle (hObject=0xffffffff) returned 1 [0101.075] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.075] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBundleManifest.xml") returned 1 [0101.075] lstrlenW (lpString="AppxBundleManifest.xml") returned 22 [0101.075] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 108 [0101.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.075] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0101.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunevideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0101.101] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x291efd28 | out: lpFindFileData=0x291efd28) returned 0 [0101.102] FindClose (in: hFindFile=0x10805508 | out: hFindFile=0x10805508) returned 1 Thread: id = 623 os_tid = 0x1078 [0098.800] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2932fd28) Thread: id = 624 os_tid = 0x107c [0098.801] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2946fd28) Thread: id = 625 os_tid = 0x1080 [0098.802] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\8C296B8E-6699-457C-9415-3D0647E1D775\\en-us.16\\*.*", lpFindFileData=0x295afd28) Thread: id = 626 os_tid = 0x108c [0098.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x297afd28 | out: lpFindFileData=0x297afd28) returned 0x108052c8 [0101.090] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.091] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x297afd28 | out: lpFindFileData=0x297afd28) returned 1 [0101.091] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.091] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.091] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x297afd28 | out: lpFindFileData=0x297afd28) returned 1 [0101.091] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 108 [0101.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.091] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x297afcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x297afcf0, lpOverlapped=0x0) returned 0 [0101.092] CloseHandle (hObject=0xffffffff) returned 1 [0101.092] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.092] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBundleManifest.xml") returned 1 [0101.092] lstrlenW (lpString="AppxBundleManifest.xml") returned 22 [0101.092] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.092] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 108 [0101.092] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.092] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.092] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0101.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.zunemusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0101.103] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x297afd28 | out: lpFindFileData=0x297afd28) returned 0 [0101.103] FindClose (in: hFindFile=0x108052c8 | out: hFindFile=0x108052c8) returned 1 Thread: id = 627 os_tid = 0x1090 [0099.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x298afd28 | out: lpFindFileData=0x298afd28) returned 0x10805888 [0101.083] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.083] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x298afd28 | out: lpFindFileData=0x298afd28) returned 1 [0101.083] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.083] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.083] FindNextFileW (in: hFindFile=0x10805888, lpFindFileData=0x298afd28 | out: lpFindFileData=0x298afd28) returned 1 [0101.083] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.083] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 114 [0101.083] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.083] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.083] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.084] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x298afcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x298afcf0, lpOverlapped=0x0) returned 0 [0101.084] CloseHandle (hObject=0xffffffff) returned 1 [0101.084] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.084] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBundleManifest.xml") returned 1 [0101.084] lstrlenW (lpString="AppxBundleManifest.xml") returned 22 [0101.084] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.084] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 114 [0101.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0101.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml id-br3n0g72wub8cejt.lyas")) Thread: id = 628 os_tid = 0x1094 [0099.001] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x299afd28) Thread: id = 629 os_tid = 0x1098 [0099.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x29aefd28 | out: lpFindFileData=0x29aefd28) returned 0x10805908 [0101.087] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.087] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x29aefd28 | out: lpFindFileData=0x29aefd28) returned 1 [0101.088] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.088] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x29aefd28 | out: lpFindFileData=0x29aefd28) returned 1 [0101.088] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 109 [0101.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.088] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.088] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.089] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x29aefcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29aefcf0, lpOverlapped=0x0) returned 0 [0101.089] CloseHandle (hObject=0xffffffff) returned 1 [0101.089] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.089] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBundleManifest.xml") returned 1 [0101.089] lstrlenW (lpString="AppxBundleManifest.xml") returned 22 [0101.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 109 [0101.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0101.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.bingfinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml id-br3n0g72wub8cejt.lyas")) returned 0 [0101.126] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x29aefd28 | out: lpFindFileData=0x29aefd28) returned 0 [0101.126] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 630 os_tid = 0x109c [0099.004] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\AppxMetadata\\*.*", lpFindFileData=0x29c2fd28) Thread: id = 631 os_tid = 0x10a0 [0099.006] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x29d6fd28) Thread: id = 632 os_tid = 0x10a4 [0099.007] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x29eafd28) Thread: id = 633 os_tid = 0x10a8 [0099.012] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x29fefd28) Thread: id = 634 os_tid = 0x10ac [0099.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2a12fd28 | out: lpFindFileData=0x2a12fd28) returned 0x5c8e10 [0100.981] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.981] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x2a12fd28 | out: lpFindFileData=0x2a12fd28) returned 1 [0100.981] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.981] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.981] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x2a12fd28 | out: lpFindFileData=0x2a12fd28) returned 1 [0100.981] lstrcpyW (in: lpString1=0x1b020388, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0100.981] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 112 [0100.981] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0100.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0100.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0100.982] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2a12fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2a12fcf0, lpOverlapped=0x0) returned 0 [0100.982] CloseHandle (hObject=0xffffffff) returned 1 [0100.982] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0100.982] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="CodeIntegrity.cat") returned 1 [0100.982] lstrlenW (lpString="CodeIntegrity.cat") returned 17 [0100.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0100.982] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 112 [0100.982] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0100.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0100.982] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" [0100.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat id-br3n0g72wub8cejt.lyas")) returned 0 [0101.156] FindNextFileW (in: hFindFile=0x5c8e10, lpFindFileData=0x2a12fd28 | out: lpFindFileData=0x2a12fd28) returned 0 [0101.156] FindClose (in: hFindFile=0x5c8e10 | out: hFindFile=0x5c8e10) returned 1 Thread: id = 635 os_tid = 0x10b0 [0099.019] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\\Assets\\*.*", lpFindFileData=0x2a26fd28) Thread: id = 636 os_tid = 0x10b4 [0099.023] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2a3afd28) Thread: id = 637 os_tid = 0x10b8 [0099.028] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2a4efd28) Thread: id = 638 os_tid = 0x10bc [0099.029] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2a62fd28) Thread: id = 639 os_tid = 0x10c0 [0099.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2a76fd28 | out: lpFindFileData=0x2a76fd28) returned 0x5c8f50 [0101.025] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.025] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0x2a76fd28 | out: lpFindFileData=0x2a76fd28) returned 1 [0101.025] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.025] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.025] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0x2a76fd28 | out: lpFindFileData=0x2a76fd28) returned 0 [0101.025] FindClose (in: hFindFile=0x5c8f50 | out: hFindFile=0x5c8f50) returned 1 Thread: id = 640 os_tid = 0x10c4 [0099.031] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2a8afd28) Thread: id = 641 os_tid = 0x10c8 [0099.033] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2a9efd28) Thread: id = 642 os_tid = 0x10cc [0099.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2ab2fd28 | out: lpFindFileData=0x2ab2fd28) returned 0x10805308 [0101.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.096] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2ab2fd28 | out: lpFindFileData=0x2ab2fd28) returned 1 [0101.096] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.096] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.096] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2ab2fd28 | out: lpFindFileData=0x2ab2fd28) returned 1 [0101.096] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.096] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 109 [0101.096] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.096] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.096] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.097] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2ab2fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ab2fcf0, lpOverlapped=0x0) returned 0 [0101.097] CloseHandle (hObject=0xffffffff) returned 1 [0101.097] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.097] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="AppxBundleManifest.xml") returned 1 [0101.097] lstrlenW (lpString="AppxBundleManifest.xml") returned 22 [0101.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 109 [0101.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\", lpString2="AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" [0101.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" [0101.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\AppxBundleManifest.xml id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.3dbuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\appxmetadata\\appxbundlemanifest.xml id-br3n0g72wub8cejt.lyas")) Thread: id = 643 os_tid = 0x10d0 [0099.035] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2ac6fd28 | out: lpFindFileData=0x2ac6fd28) returned 0x10805308 [0101.093] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.093] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2ac6fd28 | out: lpFindFileData=0x2ac6fd28) returned 1 [0101.093] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.093] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2ac6fd28 | out: lpFindFileData=0x2ac6fd28) returned 1 [0101.093] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.093] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 105 [0101.093] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.093] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.094] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2ac6fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ac6fcf0, lpOverlapped=0x0) returned 0 [0101.094] CloseHandle (hObject=0xffffffff) returned 1 [0101.094] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.094] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="CodeIntegrity.cat") returned 1 [0101.094] lstrlenW (lpString="CodeIntegrity.cat") returned 17 [0101.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.094] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 105 [0101.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0101.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0101.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" [0101.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat id-br3n0g72wub8cejt.lyas")) returned 0 [0101.095] FindNextFileW (in: hFindFile=0x10805308, lpFindFileData=0x2ac6fd28 | out: lpFindFileData=0x2ac6fd28) returned 0 [0101.095] FindClose (in: hFindFile=0x10805308 | out: hFindFile=0x10805308) returned 1 Thread: id = 644 os_tid = 0x10d4 [0099.038] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\Assets\\*.*", lpFindFileData=0x2adafd28) Thread: id = 645 os_tid = 0x10d8 [0099.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2aeefd28 | out: lpFindFileData=0x2aeefd28) returned 0x5c8f50 [0101.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.026] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0x2aeefd28 | out: lpFindFileData=0x2aeefd28) returned 1 [0101.026] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.026] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.026] FindNextFileW (in: hFindFile=0x5c8f50, lpFindFileData=0x2aeefd28 | out: lpFindFileData=0x2aeefd28) returned 0 [0101.026] FindClose (in: hFindFile=0x5c8f50 | out: hFindFile=0x5c8f50) returned 1 Thread: id = 646 os_tid = 0x10dc [0099.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2b02fd28 | out: lpFindFileData=0x2b02fd28) returned 0x10805408 [0101.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.098] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x2b02fd28 | out: lpFindFileData=0x2b02fd28) returned 1 [0101.098] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.098] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x2b02fd28 | out: lpFindFileData=0x2b02fd28) returned 1 [0101.098] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 105 [0101.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.098] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.099] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.099] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2b02fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2b02fcf0, lpOverlapped=0x0) returned 0 [0101.099] CloseHandle (hObject=0xffffffff) returned 1 [0101.099] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.100] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="CodeIntegrity.cat") returned 1 [0101.100] lstrlenW (lpString="CodeIntegrity.cat") returned 17 [0101.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 105 [0101.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0101.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0101.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" [0101.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat id-br3n0g72wub8cejt.lyas")) returned 0 [0101.100] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x2b02fd28 | out: lpFindFileData=0x2b02fd28) returned 0 [0101.100] FindClose (in: hFindFile=0x10805408 | out: hFindFile=0x10805408) returned 1 Thread: id = 647 os_tid = 0x10e0 [0099.044] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2b16fd28 | out: lpFindFileData=0x2b16fd28) returned 0x2c9e308 [0099.206] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.206] FindNextFileW (in: hFindFile=0x2c9e308, lpFindFileData=0x2b16fd28 | out: lpFindFileData=0x2b16fd28) returned 1 [0099.206] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.206] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.206] FindNextFileW (in: hFindFile=0x2c9e308, lpFindFileData=0x2b16fd28 | out: lpFindFileData=0x2b16fd28) returned 1 [0099.363] lstrcpyW (in: lpString1=0x219fadb8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0099.363] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 104 [0099.363] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0099.363] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0099.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.364] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2b16fcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2b16fcf0, lpOverlapped=0x0) returned 0 [0099.364] CloseHandle (hObject=0xffffffff) returned 1 [0099.364] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0099.364] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="CodeIntegrity.cat") returned 1 [0099.364] lstrlenW (lpString="CodeIntegrity.cat") returned 17 [0099.364] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0099.365] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 104 [0099.365] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0099.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0099.365] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" [0099.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscamera_5.38.3003.0_x64__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat id-br3n0g72wub8cejt.lyas")) returned 0 [0099.419] FindNextFileW (in: hFindFile=0x2c9e308, lpFindFileData=0x2b16fd28 | out: lpFindFileData=0x2b16fd28) returned 0 [0099.419] FindClose (in: hFindFile=0x2c9e308 | out: hFindFile=0x2c9e308) returned 1 Thread: id = 648 os_tid = 0x10e4 [0099.045] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*", lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 0x2c9ea48 [0099.045] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.045] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0099.045] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.045] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.045] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0099.045] lstrcmpW (lpString1=".", lpString2="CaptureButton") returned -1 [0099.045] lstrcmpW (lpString1="..", lpString2="CaptureButton") returned -1 [0099.046] lstrcmpiW (lpString1="windows", lpString2="CaptureButton") returned 1 [0100.697] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0100.697] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 98 [0100.697] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="CaptureButton" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\CaptureButton") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\CaptureButton" [0100.697] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\CaptureButton", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\CaptureButton\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\CaptureButton\\*.*" [0100.697] GlobalMemoryStatus (in: lpBuffer=0x2b2afd08 | out: lpBuffer=0x2b2afd08) [0100.697] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21bd33f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0100.698] CloseHandle (hObject=0x66c) returned 1 [0100.698] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0100.699] lstrcmpW (lpString1=".", lpString2="EnsoUI") returned -1 [0100.699] lstrcmpW (lpString1="..", lpString2="EnsoUI") returned -1 [0100.699] lstrcmpiW (lpString1="windows", lpString2="EnsoUI") returned 1 [0100.703] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0100.703] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 98 [0100.703] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="EnsoUI" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\EnsoUI") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\EnsoUI" [0100.703] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\EnsoUI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\EnsoUI\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\EnsoUI\\*.*" [0100.703] GlobalMemoryStatus (in: lpBuffer=0x2b2afd08 | out: lpBuffer=0x2b2afd08) [0100.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21beb458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0100.704] CloseHandle (hObject=0x66c) returned 1 [0100.704] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0100.705] lstrcmpW (lpString1=".", lpString2="Icons") returned -1 [0100.705] lstrcmpW (lpString1="..", lpString2="Icons") returned -1 [0100.705] lstrcmpiW (lpString1="windows", lpString2="Icons") returned 1 [0100.709] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0100.709] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 98 [0100.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="Icons" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Icons") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Icons" [0100.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Icons", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Icons\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Icons\\*.*" [0100.709] GlobalMemoryStatus (in: lpBuffer=0x2b2afd08 | out: lpBuffer=0x2b2afd08) [0100.709] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21c034c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0100.710] CloseHandle (hObject=0x66c) returned 1 [0100.716] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0100.717] lstrcmpW (lpString1=".", lpString2="Lenses") returned -1 [0100.717] lstrcmpW (lpString1="..", lpString2="Lenses") returned -1 [0100.717] lstrcmpiW (lpString1="windows", lpString2="Lenses") returned 1 [0100.721] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0100.721] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 98 [0100.721] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="Lenses" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Lenses") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Lenses" [0100.721] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Lenses", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Lenses\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Lenses\\*.*" [0100.721] GlobalMemoryStatus (in: lpBuffer=0x2b2afd08 | out: lpBuffer=0x2b2afd08) [0100.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21c1b528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0100.722] CloseHandle (hObject=0x66c) returned 1 [0100.723] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0100.723] lstrcmpW (lpString1=".", lpString2="Sounds") returned -1 [0100.723] lstrcmpW (lpString1="..", lpString2="Sounds") returned -1 [0100.723] lstrcmpiW (lpString1="windows", lpString2="Sounds") returned 1 [0100.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0100.727] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 98 [0100.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="Sounds" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Sounds") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Sounds" [0100.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Sounds", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Sounds\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\Sounds\\*.*" [0100.727] GlobalMemoryStatus (in: lpBuffer=0x2b2afd08 | out: lpBuffer=0x2b2afd08) [0100.727] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21c33590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0100.728] CloseHandle (hObject=0x66c) returned 1 [0100.728] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0100.728] lstrcmpW (lpString1=".", lpString2="ViewFinder") returned -1 [0100.728] lstrcmpW (lpString1="..", lpString2="ViewFinder") returned -1 [0100.729] lstrcmpiW (lpString1="windows", lpString2="ViewFinder") returned 1 [0100.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0100.733] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 98 [0100.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="ViewFinder" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\ViewFinder") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\ViewFinder" [0100.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\ViewFinder", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\ViewFinder\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\ViewFinder\\*.*" [0100.733] GlobalMemoryStatus (in: lpBuffer=0x2b2afd08 | out: lpBuffer=0x2b2afd08) [0100.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21c4b5f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0100.734] CloseHandle (hObject=0x66c) returned 1 [0100.734] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0100.734] lstrcmpW (lpString1=".", lpString2="VoiceCommands") returned -1 [0100.734] lstrcmpW (lpString1="..", lpString2="VoiceCommands") returned -1 [0100.734] lstrcmpiW (lpString1="windows", lpString2="VoiceCommands") returned 1 [0100.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0100.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 98 [0100.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="VoiceCommands" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\VoiceCommands") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\VoiceCommands" [0100.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\VoiceCommands", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\VoiceCommands\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\VoiceCommands\\*.*" [0100.738] GlobalMemoryStatus (in: lpBuffer=0x2b2afd08 | out: lpBuffer=0x2b2afd08) [0100.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21c63660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0100.739] CloseHandle (hObject=0x66c) returned 1 [0100.739] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 1 [0100.739] lstrcmpW (lpString1=".", lpString2="WindowsIcons") returned -1 [0100.739] lstrcmpW (lpString1="..", lpString2="WindowsIcons") returned -1 [0100.739] lstrcmpiW (lpString1="windows", lpString2="WindowsIcons") returned -1 [0100.743] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0100.743] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 98 [0100.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="WindowsIcons" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\WindowsIcons") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\WindowsIcons" [0100.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\WindowsIcons", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\WindowsIcons\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\Assets\\WindowsIcons\\*.*" [0100.743] GlobalMemoryStatus (in: lpBuffer=0x2b2afd08 | out: lpBuffer=0x2b2afd08) [0100.743] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21c7b6c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x66c [0100.744] CloseHandle (hObject=0x66c) returned 1 [0100.745] FindNextFileW (in: hFindFile=0x2c9ea48, lpFindFileData=0x2b2afd28 | out: lpFindFileData=0x2b2afd28) returned 0 [0100.745] FindClose (in: hFindFile=0x2c9ea48 | out: hFindFile=0x2c9ea48) returned 1 Thread: id = 649 os_tid = 0x10e8 [0099.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2b3efd28 | out: lpFindFileData=0x2b3efd28) returned 0x108052c8 [0101.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.111] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x2b3efd28 | out: lpFindFileData=0x2b3efd28) returned 1 [0101.111] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.111] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x2b3efd28 | out: lpFindFileData=0x2b3efd28) returned 1 [0101.112] lstrcpyW (in: lpString1=0x8a60938, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 105 [0101.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0101.112] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.112] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2b3efcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2b3efcf0, lpOverlapped=0x0) returned 0 [0101.112] CloseHandle (hObject=0xffffffff) returned 1 [0101.112] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.113] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="CodeIntegrity.cat") returned 1 [0101.113] lstrlenW (lpString="CodeIntegrity.cat") returned 17 [0101.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 105 [0101.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0101.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" [0101.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" [0101.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\AppxMetadata\\CodeIntegrity.cat id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.vclibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\appxmetadata\\codeintegrity.cat id-br3n0g72wub8cejt.lyas")) returned 0 [0101.113] FindNextFileW (in: hFindFile=0x108052c8, lpFindFileData=0x2b3efd28 | out: lpFindFileData=0x2b3efd28) returned 0 [0101.114] FindClose (in: hFindFile=0x108052c8 | out: hFindFile=0x108052c8) returned 1 Thread: id = 650 os_tid = 0x10ec [0099.053] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\AppxMetadata\\*.*", lpFindFileData=0x2b52fd28) Thread: id = 651 os_tid = 0x10f0 [0099.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\*.*", lpFindFileData=0x2b66fd28 | out: lpFindFileData=0x2b66fd28) returned 0x108054c8 [0101.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.123] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2b66fd28 | out: lpFindFileData=0x2b66fd28) returned 1 [0101.124] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.124] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2b66fd28 | out: lpFindFileData=0x2b66fd28) returned 1 [0101.124] lstrcmpW (lpString1=".", lpString2="Assets") returned -1 [0101.124] lstrcmpW (lpString1="..", lpString2="Assets") returned -1 [0101.124] lstrcmpiW (lpString1="windows", lpString2="Assets") returned 1 [0101.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\*.*" [0101.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\*.*") returned 91 [0101.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\", lpString2="Assets" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\Assets") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\Assets" [0101.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\Assets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\GetSkype\\Assets\\*.*" [0101.124] GlobalMemoryStatus (in: lpBuffer=0x2b66fd08 | out: lpBuffer=0x2b66fd08) [0101.124] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8a00798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x468 [0101.125] CloseHandle (hObject=0x468) returned 1 [0101.125] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2b66fd28 | out: lpFindFileData=0x2b66fd28) returned 0 [0101.125] FindClose (in: hFindFile=0x108054c8 | out: hFindFile=0x108054c8) returned 1 Thread: id = 652 os_tid = 0x10f4 [0099.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*", lpFindFileData=0x2b7afd28 | out: lpFindFileData=0x2b7afd28) returned 0x2c9e3c8 [0099.209] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.209] FindNextFileW (in: hFindFile=0x2c9e3c8, lpFindFileData=0x2b7afd28 | out: lpFindFileData=0x2b7afd28) returned 1 [0099.209] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.209] FindNextFileW (in: hFindFile=0x2c9e3c8, lpFindFileData=0x2b7afd28 | out: lpFindFileData=0x2b7afd28) returned 1 [0099.263] lstrcpyW (in: lpString1=0x5b28730, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*" [0099.263] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*") returned 54 [0099.263] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\How To Restore Files.hta" [0099.263] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\how to restore files.hta")) returned 0xffffffff [0099.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 653 os_tid = 0x10f8 [0099.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*", lpFindFileData=0x2b8efd28 | out: lpFindFileData=0x2b8efd28) returned 0x2c9ea88 [0099.200] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.200] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x2b8efd28 | out: lpFindFileData=0x2b8efd28) returned 1 [0099.200] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.200] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.200] FindNextFileW (in: hFindFile=0x2c9ea88, lpFindFileData=0x2b8efd28 | out: lpFindFileData=0x2b8efd28) returned 1 [0099.493] lstrcpyW (in: lpString1=0x21a9b038, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*" [0099.493] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*") returned 64 [0099.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\How To Restore Files.hta" [0099.493] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\how to restore files.hta")) returned 0xffffffff [0099.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 654 os_tid = 0x10fc [0099.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*", lpFindFileData=0x2ba2fd28 | out: lpFindFileData=0x2ba2fd28) returned 0x2c9e808 [0099.489] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.489] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x2ba2fd28 | out: lpFindFileData=0x2ba2fd28) returned 1 [0099.489] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.489] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.489] FindNextFileW (in: hFindFile=0x2c9e808, lpFindFileData=0x2ba2fd28 | out: lpFindFileData=0x2ba2fd28) returned 1 [0099.489] lstrcpyW (in: lpString1=0x210805f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*" [0099.489] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*") returned 64 [0099.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\How To Restore Files.hta" [0099.489] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\how to restore files.hta")) returned 0xffffffff [0099.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 655 os_tid = 0x1100 [0099.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*", lpFindFileData=0x2bb6fd28 | out: lpFindFileData=0x2bb6fd28) returned 0x2c9e7c8 [0099.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.488] FindNextFileW (in: hFindFile=0x2c9e7c8, lpFindFileData=0x2bb6fd28 | out: lpFindFileData=0x2bb6fd28) returned 1 [0099.488] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.488] FindNextFileW (in: hFindFile=0x2c9e7c8, lpFindFileData=0x2bb6fd28 | out: lpFindFileData=0x2bb6fd28) returned 1 [0099.488] lstrcpyW (in: lpString1=0x210785e8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*" [0099.488] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*") returned 64 [0099.488] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\How To Restore Files.hta" [0099.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\how to restore files.hta")) returned 0xffffffff [0099.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 656 os_tid = 0x1104 [0099.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*", lpFindFileData=0x2bcafd28 | out: lpFindFileData=0x2bcafd28) returned 0x2c9e5c8 [0099.444] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.445] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x2bcafd28 | out: lpFindFileData=0x2bcafd28) returned 1 [0099.445] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.445] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.445] FindNextFileW (in: hFindFile=0x2c9e5c8, lpFindFileData=0x2bcafd28 | out: lpFindFileData=0x2bcafd28) returned 1 [0099.472] lstrcpyW (in: lpString1=0x3f20850, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*" [0099.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*") returned 64 [0099.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\How To Restore Files.hta" [0099.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\how to restore files.hta")) returned 0xffffffff [0099.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 657 os_tid = 0x1108 [0099.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*", lpFindFileData=0x2bdefd28 | out: lpFindFileData=0x2bdefd28) returned 0x2c9e6c8 [0099.485] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.485] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x2bdefd28 | out: lpFindFileData=0x2bdefd28) returned 1 [0099.485] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.485] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.485] FindNextFileW (in: hFindFile=0x2c9e6c8, lpFindFileData=0x2bdefd28 | out: lpFindFileData=0x2bdefd28) returned 1 [0099.485] lstrcpyW (in: lpString1=0x3f28858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*" [0099.485] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*") returned 64 [0099.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\How To Restore Files.hta" [0099.485] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\how to restore files.hta")) returned 0xffffffff [0099.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 658 os_tid = 0x110c [0099.061] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*", lpFindFileData=0x2bf2fd28 | out: lpFindFileData=0x2bf2fd28) returned 0x2c9e748 [0099.486] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.486] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x2bf2fd28 | out: lpFindFileData=0x2bf2fd28) returned 1 [0099.486] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.486] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.486] FindNextFileW (in: hFindFile=0x2c9e748, lpFindFileData=0x2bf2fd28 | out: lpFindFileData=0x2bf2fd28) returned 1 [0099.486] lstrcpyW (in: lpString1=0x20f005b0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*" [0099.486] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*") returned 64 [0099.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\How To Restore Files.hta" [0099.486] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\how to restore files.hta")) returned 0xffffffff [0099.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 659 os_tid = 0x1110 [0099.062] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*", lpFindFileData=0x2c06fd28 | out: lpFindFileData=0x2c06fd28) returned 0x2c9e788 [0099.487] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.487] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x2c06fd28 | out: lpFindFileData=0x2c06fd28) returned 1 [0099.487] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.487] FindNextFileW (in: hFindFile=0x2c9e788, lpFindFileData=0x2c06fd28 | out: lpFindFileData=0x2c06fd28) returned 1 [0099.487] lstrcpyW (in: lpString1=0x20f085b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*" [0099.487] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*") returned 64 [0099.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\How To Restore Files.hta" [0099.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\how to restore files.hta")) returned 0xffffffff [0099.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 660 os_tid = 0x1114 [0099.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*", lpFindFileData=0x2c1afd28 | out: lpFindFileData=0x2c1afd28) returned 0x2c9e588 [0099.443] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.443] FindNextFileW (in: hFindFile=0x2c9e588, lpFindFileData=0x2c1afd28 | out: lpFindFileData=0x2c1afd28) returned 1 [0099.444] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.444] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.444] FindNextFileW (in: hFindFile=0x2c9e588, lpFindFileData=0x2c1afd28 | out: lpFindFileData=0x2c1afd28) returned 1 [0099.444] lstrcpyW (in: lpString1=0x21128828, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0099.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 64 [0099.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\How To Restore Files.hta" [0099.444] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\how to restore files.hta")) returned 0xffffffff [0099.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 661 os_tid = 0x1118 [0099.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*", lpFindFileData=0x2c2efd28 | out: lpFindFileData=0x2c2efd28) returned 0x2c9e308 [0099.441] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.441] FindNextFileW (in: hFindFile=0x2c9e308, lpFindFileData=0x2c2efd28 | out: lpFindFileData=0x2c2efd28) returned 1 [0099.441] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.441] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.441] FindNextFileW (in: hFindFile=0x2c9e308, lpFindFileData=0x2c2efd28 | out: lpFindFileData=0x2c2efd28) returned 1 [0099.441] lstrcpyW (in: lpString1=0x21a93030, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*" [0099.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*") returned 64 [0099.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\How To Restore Files.hta" [0099.441] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\how to restore files.hta")) returned 0xffffffff [0099.442] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 662 os_tid = 0x111c [0099.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*.*", lpFindFileData=0x2c42fd28 | out: lpFindFileData=0x2c42fd28) returned 0x2c9e888 [0099.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.504] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x2c42fd28 | out: lpFindFileData=0x2c42fd28) returned 1 [0099.504] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.504] FindNextFileW (in: hFindFile=0x2c9e888, lpFindFileData=0x2c42fd28 | out: lpFindFileData=0x2c42fd28) returned 1 [0099.507] lstrcpyW (in: lpString1=0x21ac30b0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*.*" [0099.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\*.*") returned 64 [0099.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\How To Restore Files.hta" [0099.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\how to restore files.hta")) returned 0xffffffff [0099.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-MX\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-mx\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 663 os_tid = 0x1120 [0099.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*", lpFindFileData=0x2c56fd28 | out: lpFindFileData=0x2c56fd28) returned 0x2c9e548 [0099.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.442] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0x2c56fd28 | out: lpFindFileData=0x2c56fd28) returned 1 [0099.443] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.443] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.443] FindNextFileW (in: hFindFile=0x2c9e548, lpFindFileData=0x2c56fd28 | out: lpFindFileData=0x2c56fd28) returned 1 [0099.443] lstrcpyW (in: lpString1=0x21120820, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*" [0099.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*") returned 64 [0099.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\How To Restore Files.hta" [0099.443] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\how to restore files.hta")) returned 0xffffffff [0099.443] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 664 os_tid = 0x1124 [0099.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*", lpFindFileData=0x2c6afd28 | out: lpFindFileData=0x2c6afd28) returned 0x2c9e8c8 [0099.526] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.526] FindNextFileW (in: hFindFile=0x2c9e8c8, lpFindFileData=0x2c6afd28 | out: lpFindFileData=0x2c6afd28) returned 1 [0099.526] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.526] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.526] FindNextFileW (in: hFindFile=0x2c9e8c8, lpFindFileData=0x2c6afd28 | out: lpFindFileData=0x2c6afd28) returned 1 [0099.530] lstrcpyW (in: lpString1=0x21ad30c0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*" [0099.530] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*") returned 64 [0099.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\How To Restore Files.hta" [0099.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\how to restore files.hta")) returned 0xffffffff [0099.530] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\How To Restore Files.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 665 os_tid = 0x1128 [0099.531] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2c7efd28) Thread: id = 666 os_tid = 0x112c [0099.531] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2c92fd28) Thread: id = 667 os_tid = 0x1130 [0099.532] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2ca6fd28) Thread: id = 668 os_tid = 0x1134 [0099.533] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2cbafd28) Thread: id = 669 os_tid = 0x1138 [0099.534] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2ccefd28) Thread: id = 670 os_tid = 0x113c [0099.535] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2ce2fd28) Thread: id = 671 os_tid = 0x1140 [0099.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2cf6fd28 | out: lpFindFileData=0x2cf6fd28) returned 0x5c8b10 [0100.993] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.993] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x2cf6fd28 | out: lpFindFileData=0x2cf6fd28) returned 1 [0100.993] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.993] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x2cf6fd28 | out: lpFindFileData=0x2cf6fd28) returned 1 [0100.993] lstrcpyW (in: lpString1=0x1b020388, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0100.993] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 108 [0100.993] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0100.993] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) returned 0xffffffff [0100.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 672 os_tid = 0x1144 [0099.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*", lpFindFileData=0x2d0afd28 | out: lpFindFileData=0x2d0afd28) returned 0x10805508 [0101.104] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.104] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x2d0afd28 | out: lpFindFileData=0x2d0afd28) returned 1 [0101.104] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.104] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.104] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x2d0afd28 | out: lpFindFileData=0x2d0afd28) returned 1 [0101.104] lstrcpyW (in: lpString1=0x8a60938, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" [0101.105] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta")) returned 0xffffffff [0101.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.105] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0) returned 0 [0101.105] CloseHandle (hObject=0xffffffff) returned 1 [0101.105] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.105] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotosAppList.contrast-black_scale-100.png") returned -1 [0101.105] lstrlenW (lpString="PhotosAppList.contrast-black_scale-100.png") returned 42 [0101.105] lstrcmpiW (lpString1=".LyaS", lpString2="0.png") returned -1 [0101.105] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="PhotosAppList.contrast-black_scale-100.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png" [0101.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png" [0101.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png id-Br3n0G72wUb8CejT.LyaS" [0101.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_scale-100.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_scale-100.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_scale-100.png id-br3n0g72wub8cejt.lyas")) returned 0 [0101.107] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x2d0afd28 | out: lpFindFileData=0x2d0afd28) returned 1 [0101.107] lstrcpyW (in: lpString1=0x8a60938, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.107] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.107] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" [0101.107] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta")) returned 0xffffffff [0101.107] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.107] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0) returned 0 [0101.107] CloseHandle (hObject=0xffffffff) returned 1 [0101.107] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.108] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotosAppList.contrast-black_targetsize-16.png") returned -1 [0101.108] lstrlenW (lpString="PhotosAppList.contrast-black_targetsize-16.png") returned 46 [0101.108] lstrcmpiW (lpString1=".LyaS", lpString2="6.png") returned -1 [0101.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="PhotosAppList.contrast-black_targetsize-16.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png" [0101.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png" [0101.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png id-Br3n0G72wUb8CejT.LyaS" [0101.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_targetsize-16.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-16.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_targetsize-16.png id-br3n0g72wub8cejt.lyas")) returned 0 [0101.109] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x2d0afd28 | out: lpFindFileData=0x2d0afd28) returned 1 [0101.109] lstrcpyW (in: lpString1=0x8a60938, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" [0101.109] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta")) returned 0xffffffff [0101.109] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.109] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0) returned 0 [0101.109] CloseHandle (hObject=0xffffffff) returned 1 [0101.109] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.110] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotosAppList.contrast-black_targetsize-20.png") returned -1 [0101.110] lstrlenW (lpString="PhotosAppList.contrast-black_targetsize-20.png") returned 46 [0101.110] lstrcmpiW (lpString1=".LyaS", lpString2="0.png") returned -1 [0101.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="PhotosAppList.contrast-black_targetsize-20.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png" [0101.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png" [0101.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png id-Br3n0G72wUb8CejT.LyaS" [0101.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_targetsize-20.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-20.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_targetsize-20.png id-br3n0g72wub8cejt.lyas")) returned 0 [0101.115] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x2d0afd28 | out: lpFindFileData=0x2d0afd28) returned 1 [0101.115] lstrcpyW (in: lpString1=0x8df9848, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" [0101.115] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta")) returned 0xffffffff [0101.115] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.116] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0) returned 0 [0101.116] CloseHandle (hObject=0xffffffff) returned 1 [0101.116] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.116] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotosAppList.contrast-black_targetsize-24.png") returned -1 [0101.116] lstrlenW (lpString="PhotosAppList.contrast-black_targetsize-24.png") returned 46 [0101.116] lstrcmpiW (lpString1=".LyaS", lpString2="4.png") returned -1 [0101.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.117] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.117] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="PhotosAppList.contrast-black_targetsize-24.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png" [0101.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png" [0101.117] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png id-Br3n0G72wUb8CejT.LyaS" [0101.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_targetsize-24.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-24.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_targetsize-24.png id-br3n0g72wub8cejt.lyas")) returned 0 [0101.118] FindNextFileW (in: hFindFile=0x10805508, lpFindFileData=0x2d0afd28 | out: lpFindFileData=0x2d0afd28) returned 1 [0101.118] lstrcpyW (in: lpString1=0x8df9848, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" [0101.118] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta")) returned 0xffffffff [0101.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.118] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2d0afcf0, lpOverlapped=0x0) returned 0 [0101.118] CloseHandle (hObject=0xffffffff) returned 1 [0101.119] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.119] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="PhotosAppList.contrast-black_targetsize-256.png") returned -1 [0101.119] lstrlenW (lpString="PhotosAppList.contrast-black_targetsize-256.png") returned 47 [0101.119] lstrcmpiW (lpString1=".LyaS", lpString2="6.png") returned -1 [0101.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*" [0101.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\*.*") returned 102 [0101.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\", lpString2="PhotosAppList.contrast-black_targetsize-256.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png" [0101.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png" [0101.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png id-Br3n0G72wUb8CejT.LyaS" [0101.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_targetsize-256.png"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Assets\\PhotosAppList.contrast-black_targetsize-256.png id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windows.photos_15.618.18170.0_x64__8wekyb3d8bbwe\\assets\\photosapplist.contrast-black_targetsize-256.png id-br3n0g72wub8cejt.lyas")) Thread: id = 673 os_tid = 0x1148 [0099.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\*.*", lpFindFileData=0x2d1efd28 | out: lpFindFileData=0x2d1efd28) returned 0x5c8b10 [0100.991] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.991] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x2d1efd28 | out: lpFindFileData=0x2d1efd28) returned 1 [0100.991] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0100.991] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.991] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x2d1efd28 | out: lpFindFileData=0x2d1efd28) returned 1 [0100.991] lstrcmpW (lpString1=".", lpString2="Shaders") returned -1 [0100.991] lstrcmpW (lpString1="..", lpString2="Shaders") returned -1 [0100.991] lstrcmpiW (lpString1="windows", lpString2="Shaders") returned 1 [0100.991] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\*.*" [0100.991] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\*.*") returned 110 [0100.991] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\", lpString2="Shaders" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\Shaders") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\Shaders" [0100.991] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\Shaders", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\Shaders\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Bing.Immersive\\Shaders\\*.*" [0100.991] GlobalMemoryStatus (in: lpBuffer=0x2d1efd08 | out: lpBuffer=0x2d1efd08) [0100.991] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8bb0ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x36c [0100.992] CloseHandle (hObject=0x36c) returned 1 [0100.992] FindNextFileW (in: hFindFile=0x5c8b10, lpFindFileData=0x2d1efd28 | out: lpFindFileData=0x2d1efd28) returned 0 [0100.992] FindClose (in: hFindFile=0x5c8b10 | out: hFindFile=0x5c8b10) returned 1 Thread: id = 674 os_tid = 0x114c [0099.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2d32fd28 | out: lpFindFileData=0x2d32fd28) returned 0x10805408 [0101.102] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.102] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x2d32fd28 | out: lpFindFileData=0x2d32fd28) returned 1 [0101.102] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.102] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.102] FindNextFileW (in: hFindFile=0x10805408, lpFindFileData=0x2d32fd28 | out: lpFindFileData=0x2d32fd28) returned 1 [0101.102] lstrcpyW (in: lpString1=0x59b80c0, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*" [0101.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\*.*") returned 109 [0101.121] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" [0101.121] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\\AppxMetadata\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.office.onenote_17.4201.10091.0_x64__8wekyb3d8bbwe\\appxmetadata\\how to restore files.hta")) Thread: id = 675 os_tid = 0x1150 [0099.538] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2d46fd28) Thread: id = 676 os_tid = 0x1154 [0099.539] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\css\\*.*", lpFindFileData=0x2d5afd28 | out: lpFindFileData=0x2d5afd28) returned 0x108054c8 [0101.134] lstrcmpW (lpString1=".", lpString2=".") Thread: id = 677 os_tid = 0x1158 [0099.540] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\images\\*.*", lpFindFileData=0x2d6efd28) Thread: id = 678 os_tid = 0x115c [0099.541] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\js\\*.*", lpFindFileData=0x2d82fd28) Thread: id = 679 os_tid = 0x1160 [0099.542] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2d96fd28) Thread: id = 680 os_tid = 0x1164 [0099.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2daafd28 | out: lpFindFileData=0x2daafd28) returned 0x108054c8 [0101.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.123] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2daafd28 | out: lpFindFileData=0x2daafd28) returned 1 [0101.123] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.123] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x2daafd28 | out: lpFindFileData=0x2daafd28) returned 0 [0101.123] FindClose (in: hFindFile=0x108054c8 | out: hFindFile=0x108054c8) returned 1 Thread: id = 681 os_tid = 0x1168 [0099.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*", lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 0x5c8f90 [0101.033] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.033] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 1 [0101.034] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.034] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.034] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 1 [0101.034] lstrcpyW (in: lpString1=0x21619d08, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.034] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.034] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" [0101.034] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta")) returned 0xffffffff [0101.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.034] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0) returned 0 [0101.034] CloseHandle (hObject=0xffffffff) returned 1 [0101.035] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.035] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hxcalendarresim.dll") returned -1 [0101.035] lstrlenW (lpString="hxcalendarresim.dll") returned 19 [0101.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.035] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="hxcalendarresim.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll" [0101.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll" [0101.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll id-Br3n0G72wUb8CejT.LyaS" [0101.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcalendarresim.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.043] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 1 [0101.043] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.043] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.043] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" [0101.043] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta")) returned 0xffffffff [0101.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.043] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0) returned 0 [0101.044] CloseHandle (hObject=0xffffffff) returned 1 [0101.044] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.044] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hxcommintl.dll") returned -1 [0101.044] lstrlenW (lpString="hxcommintl.dll") returned 14 [0101.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.044] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="hxcommintl.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll" [0101.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll" [0101.044] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll id-Br3n0G72wUb8CejT.LyaS" [0101.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxcommintl.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.044] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 1 [0101.045] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.045] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.045] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" [0101.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta")) returned 0xffffffff [0101.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.045] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0) returned 0 [0101.045] CloseHandle (hObject=0xffffffff) returned 1 [0101.045] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.045] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="hxmailintl.dll") returned -1 [0101.045] lstrlenW (lpString="hxmailintl.dll") returned 14 [0101.045] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.045] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.046] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="hxmailintl.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll" [0101.046] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll" [0101.046] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll id-Br3n0G72wUb8CejT.LyaS" [0101.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\hxmailintl.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.046] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 1 [0101.046] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.046] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.046] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" [0101.046] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta")) returned 0xffffffff [0101.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.047] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0) returned 0 [0101.047] CloseHandle (hObject=0xffffffff) returned 1 [0101.047] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.047] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msointl30_winrt.dll") returned -1 [0101.047] lstrlenW (lpString="msointl30_winrt.dll") returned 19 [0101.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.047] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.047] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="msointl30_winrt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll" [0101.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll" [0101.047] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll id-Br3n0G72wUb8CejT.LyaS" [0101.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointl30_winrt.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.048] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 1 [0101.048] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.048] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" [0101.048] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta")) returned 0xffffffff [0101.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.049] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0) returned 0 [0101.049] CloseHandle (hObject=0xffffffff) returned 1 [0101.049] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.049] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="msointlimm.dll") returned -1 [0101.049] lstrlenW (lpString="msointlimm.dll") returned 14 [0101.049] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.049] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.049] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="msointlimm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll" [0101.049] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll" [0101.049] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll id-Br3n0G72wUb8CejT.LyaS" [0101.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\msointlimm.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.050] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 1 [0101.050] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.050] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.050] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" [0101.050] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta")) returned 0xffffffff [0101.051] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.051] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0) returned 0 [0101.051] CloseHandle (hObject=0xffffffff) returned 1 [0101.051] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.051] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="wintlim.dll") returned -1 [0101.051] lstrlenW (lpString="wintlim.dll") returned 11 [0101.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.051] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="wintlim.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll" [0101.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll" [0101.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll id-Br3n0G72wUb8CejT.LyaS" [0101.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\wintlim.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.064] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 1 [0101.064] lstrcpyW (in: lpString1=0x59b00b8, lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" [0101.064] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta")) returned 0xffffffff [0101.065] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.065] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dbefcf0, lpOverlapped=0x0) returned 0 [0101.065] CloseHandle (hObject=0xffffffff) returned 1 [0101.065] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\How To Restore Files.hta", dwFileAttributes=0x1) returned 0 [0101.065] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="xlsrvintl.dll") returned -1 [0101.065] lstrlenW (lpString="xlsrvintl.dll") returned 13 [0101.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*" [0101.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\*.*") returned 113 [0101.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\", lpString2="xlsrvintl.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll" [0101.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll" [0101.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll id-Br3n0G72wUb8CejT.LyaS" [0101.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-gb\\xlsrvintl.dll id-br3n0g72wub8cejt.lyas")) returned 0 [0101.066] FindNextFileW (in: hFindFile=0x5c8f90, lpFindFileData=0x2dbefd28 | out: lpFindFileData=0x2dbefd28) returned 0 [0101.066] FindClose (in: hFindFile=0x5c8f90 | out: hFindFile=0x5c8f90) returned 1 Thread: id = 682 os_tid = 0x116c [0099.552] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\\en-us\\*.*", lpFindFileData=0x2dd2fd28) Thread: id = 683 os_tid = 0x1170 [0099.552] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x2de6fd28) Thread: id = 684 os_tid = 0x1174 [0099.553] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\\Lumia.ViewerPlugin\\*.*", lpFindFileData=0x2dfafd28) Thread: id = 685 os_tid = 0x1178 [0099.553] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\AppxMetadata\\*.*", lpFindFileData=0x2e0efd28) Thread: id = 686 os_tid = 0x117c [0099.555] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\AppInfoDocument\\*.*", lpFindFileData=0x728fd28) Thread: id = 687 os_tid = 0x1180 [0099.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*", lpFindFileData=0x764fd28 | out: lpFindFileData=0x764fd28) returned 0x2c9e948 [0099.556] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.556] FindNextFileW (in: hFindFile=0x2c9e948, lpFindFileData=0x764fd28 | out: lpFindFileData=0x764fd28) returned 1 [0099.556] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.556] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.556] FindNextFileW (in: hFindFile=0x2c9e948, lpFindFileData=0x764fd28 | out: lpFindFileData=0x764fd28) returned 1 [0099.556] lstrcmpW (lpString1=".", lpString2="AddInSideAdapters") returned -1 [0099.556] lstrcmpW (lpString1="..", lpString2="AddInSideAdapters") returned -1 [0099.556] lstrcmpiW (lpString1="windows", lpString2="AddInSideAdapters") returned 1 [0099.562] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" [0099.562] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0099.562] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\", lpString2="AddInSideAdapters" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters" [0099.562] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*" [0099.562] GlobalMemoryStatus (in: lpBuffer=0x764fd08 | out: lpBuffer=0x764fd08) [0099.562] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21adb0c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0099.563] CloseHandle (hObject=0x624) returned 1 [0099.563] FindNextFileW (in: hFindFile=0x2c9e948, lpFindFileData=0x764fd28 | out: lpFindFileData=0x764fd28) returned 1 [0099.563] lstrcmpW (lpString1=".", lpString2="AddInViews") returned -1 [0099.563] lstrcmpW (lpString1="..", lpString2="AddInViews") returned -1 [0099.563] lstrcmpiW (lpString1="windows", lpString2="AddInViews") returned 1 [0099.568] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" [0099.568] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0099.568] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\", lpString2="AddInViews" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInViews") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInViews" [0099.568] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInViews", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*" [0099.568] GlobalMemoryStatus (in: lpBuffer=0x764fd08 | out: lpBuffer=0x764fd08) [0099.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21af3130, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0099.569] CloseHandle (hObject=0x624) returned 1 [0099.569] FindNextFileW (in: hFindFile=0x2c9e948, lpFindFileData=0x764fd28 | out: lpFindFileData=0x764fd28) returned 1 [0099.569] lstrcmpW (lpString1=".", lpString2="Contracts") returned -1 [0099.569] lstrcmpW (lpString1="..", lpString2="Contracts") returned -1 [0099.570] lstrcmpiW (lpString1="windows", lpString2="Contracts") returned 1 [0099.574] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" [0099.574] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0099.574] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\", lpString2="Contracts" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\Contracts") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\Contracts" [0099.574] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\Contracts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*" [0099.574] GlobalMemoryStatus (in: lpBuffer=0x764fd08 | out: lpBuffer=0x764fd08) [0099.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21b0b198, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0099.575] CloseHandle (hObject=0x624) returned 1 [0099.575] FindNextFileW (in: hFindFile=0x2c9e948, lpFindFileData=0x764fd28 | out: lpFindFileData=0x764fd28) returned 1 [0099.575] lstrcmpW (lpString1=".", lpString2="HostSideAdapters") returned -1 [0099.575] lstrcmpW (lpString1="..", lpString2="HostSideAdapters") returned -1 [0099.575] lstrcmpiW (lpString1="windows", lpString2="HostSideAdapters") returned 1 [0099.579] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" [0099.579] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0099.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\", lpString2="HostSideAdapters" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters" [0099.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*" [0099.579] GlobalMemoryStatus (in: lpBuffer=0x764fd08 | out: lpBuffer=0x764fd08) [0099.580] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21b23200, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0099.580] CloseHandle (hObject=0x624) returned 1 [0099.580] FindNextFileW (in: hFindFile=0x2c9e948, lpFindFileData=0x764fd28 | out: lpFindFileData=0x764fd28) returned 1 [0099.581] lstrcpyW (in: lpString1=0x21b3b268, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*" [0099.581] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0099.581] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\How To Restore Files.hta" [0099.581] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\how to restore files.hta")) returned 0xffffffff [0099.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA\\Pipeline.v10.0\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 688 os_tid = 0x1184 [0099.582] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*", lpFindFileData=0x814fd28) Thread: id = 689 os_tid = 0x1188 [0099.592] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*", lpFindFileData=0x844fd28) Thread: id = 690 os_tid = 0x118c [0099.593] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\*.*", lpFindFileData=0x86cfd28 | out: lpFindFileData=0x86cfd28) returned 0x2c9e988 [0099.594] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.594] FindNextFileW (in: hFindFile=0x2c9e988, lpFindFileData=0x86cfd28 | out: lpFindFileData=0x86cfd28) returned 1 [0099.594] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.594] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.595] FindNextFileW (in: hFindFile=0x2c9e988, lpFindFileData=0x86cfd28 | out: lpFindFileData=0x86cfd28) returned 1 [0099.595] lstrcpyW (in: lpString1=0x5ca0d58, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\*.*" [0099.595] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\*.*") returned 53 [0099.595] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\How To Restore Files.hta" [0099.595] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\root\\client\\how to restore files.hta")) returned 0xffffffff [0099.595] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\client\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\root\\client\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 691 os_tid = 0x1190 [0099.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*", lpFindFileData=0x928fd28 | out: lpFindFileData=0x928fd28) returned 0x108054c8 [0101.127] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.127] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x928fd28 | out: lpFindFileData=0x928fd28) returned 1 [0101.127] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.127] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.127] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x928fd28 | out: lpFindFileData=0x928fd28) returned 1 [0101.127] lstrcmpW (lpString1=".", lpString2="PUB60COR") returned -1 [0101.127] lstrcmpW (lpString1="..", lpString2="PUB60COR") returned -1 [0101.127] lstrcmpiW (lpString1="windows", lpString2="PUB60COR") returned 1 [0101.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*" [0101.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*") returned 54 [0101.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\", lpString2="PUB60COR" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR" [0101.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\*.*" [0101.127] GlobalMemoryStatus (in: lpBuffer=0x928fd08 | out: lpBuffer=0x928fd08) [0101.127] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x10a41000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0101.128] CloseHandle (hObject=0x5a4) returned 1 [0101.128] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x928fd28 | out: lpFindFileData=0x928fd28) returned 1 [0101.128] lstrcmpW (lpString1=".", lpString2="Publisher") returned -1 [0101.128] lstrcmpW (lpString1="..", lpString2="Publisher") returned -1 [0101.128] lstrcmpiW (lpString1="windows", lpString2="Publisher") returned 1 [0101.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*" [0101.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\*.*") returned 54 [0101.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\", lpString2="Publisher" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher" [0101.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\*.*" [0101.128] GlobalMemoryStatus (in: lpBuffer=0x928fd08 | out: lpBuffer=0x928fd08) [0101.128] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x214695b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0101.132] CloseHandle (hObject=0x5a4) returned 1 [0101.132] FindNextFileW (in: hFindFile=0x108054c8, lpFindFileData=0x928fd28 | out: lpFindFileData=0x928fd28) returned 0 [0101.132] FindClose (in: hFindFile=0x108054c8 | out: hFindFile=0x108054c8) returned 1 Thread: id = 692 os_tid = 0x1194 [0099.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\*.*", lpFindFileData=0x93cfd28 | out: lpFindFileData=0x93cfd28) returned 0x2c9ef48 [0099.597] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.597] FindNextFileW (in: hFindFile=0x2c9ef48, lpFindFileData=0x93cfd28 | out: lpFindFileData=0x93cfd28) returned 1 [0099.597] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.597] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.597] FindNextFileW (in: hFindFile=0x2c9ef48, lpFindFileData=0x93cfd28 | out: lpFindFileData=0x93cfd28) returned 1 [0099.597] lstrcpyW (in: lpString1=0x5ca8d60, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\*.*" [0099.597] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\*.*") returned 65 [0099.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\How To Restore Files.hta" [0099.597] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\how to restore files.hta")) returned 0xffffffff [0099.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 693 os_tid = 0x1198 [0099.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*", lpFindFileData=0x950fd28 | out: lpFindFileData=0x950fd28) returned 0x2c9ef88 [0099.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.599] FindNextFileW (in: hFindFile=0x2c9ef88, lpFindFileData=0x950fd28 | out: lpFindFileData=0x950fd28) returned 1 [0099.600] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.600] FindNextFileW (in: hFindFile=0x2c9ef88, lpFindFileData=0x950fd28 | out: lpFindFileData=0x950fd28) returned 1 [0099.600] lstrcpyW (in: lpString1=0x5cb0d68, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*" [0099.600] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*") returned 56 [0099.600] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\How To Restore Files.hta" [0099.600] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\how to restore files.hta")) returned 0xffffffff [0099.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\How To Restore Files.hta" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0101.294] WriteFile (in: hFile=0x38c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x38e, lpNumberOfBytesWritten=0x950fcf0, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x950fcf0*=0x38e, lpOverlapped=0x0) returned 1 [0101.295] CloseHandle (hObject=0x38c) returned 1 [0101.295] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\How To Restore Files.hta", dwFileAttributes=0x1) returned 1 [0101.296] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="api-ms-win-core-file-l1-2-0.dll") returned 1 [0101.296] lstrlenW (lpString="api-ms-win-core-file-l1-2-0.dll") returned 31 [0101.296] lstrcmpiW (lpString1=".LyaS", lpString2="0.dll") returned -1 [0101.296] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*" [0101.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\*.*") returned 56 [0101.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\", lpString2="api-ms-win-core-file-l1-2-0.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll" [0101.297] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll" [0101.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll", lpString2=" id-Br3n0G72wUb8CejT.LyaS" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll id-Br3n0G72wUb8CejT.LyaS") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll id-Br3n0G72wUb8CejT.LyaS" [0101.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\api-ms-win-core-file-l1-2-0.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\api-ms-win-core-file-l1-2-0.dll id-br3n0g72wub8cejt.lyas")) returned 1 [0101.298] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\root\\Flattener\\api-ms-win-core-file-l1-2-0.dll id-Br3n0G72wUb8CejT.LyaS" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\api-ms-win-core-file-l1-2-0.dll id-br3n0g72wub8cejt.lyas"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0101.299] CreateFileMappingA (hFile=0x38c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x348 [0101.299] CryptAcquireContextA (in: phProv=0x950fce4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x950fce4*=0x1083c9f8) returned 1 [0101.300] CryptGenKey (in: hProv=0x1083c9f8, Algid=0x6610, dwFlags=0x1, phKey=0x950fce0 | out: phKey=0x950fce0*=0x5c8e10) returned 1 [0101.300] CryptExportKey (in: hKey=0x5c8e10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x950fbdc, pdwDataLen=0x950fcdc | out: pbData=0x950fbdc*, pdwDataLen=0x950fcdc*=0x2c) returned 1 [0101.300] MapViewOfFile (hFileMappingObject=0x348, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x48c0) Thread: id = 694 os_tid = 0x119c [0099.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\*.*", lpFindFileData=0x978fd28 | out: lpFindFileData=0x978fd28) returned 0x2c9efc8 [0099.601] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.602] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x978fd28 | out: lpFindFileData=0x978fd28) returned 1 [0099.602] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.602] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.602] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x978fd28 | out: lpFindFileData=0x978fd28) returned 1 [0099.602] lstrcmpW (lpString1=".", lpString2="FilesInUse") returned -1 [0099.602] lstrcmpW (lpString1="..", lpString2="FilesInUse") returned -1 [0099.602] lstrcmpiW (lpString1="windows", lpString2="FilesInUse") returned 1 [0099.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\*.*" [0099.607] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\*.*") returned 55 [0099.608] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\", lpString2="FilesInUse" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse" [0099.608] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\*.*" [0099.608] GlobalMemoryStatus (in: lpBuffer=0x978fd08 | out: lpBuffer=0x978fd08) [0099.608] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21b4b278, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x630 [0099.609] CloseHandle (hObject=0x630) returned 1 [0099.609] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x978fd28 | out: lpFindFileData=0x978fd28) returned 0 [0099.609] FindClose (in: hFindFile=0x2c9efc8 | out: hFindFile=0x2c9efc8) returned 1 Thread: id = 695 os_tid = 0x11a0 [0099.611] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Detection\\*.*", lpFindFileData=0x9b4fd28) Thread: id = 696 os_tid = 0x11a4 [0099.611] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Updates\\Download\\*.*", lpFindFileData=0x9c8fd28) Thread: id = 697 os_tid = 0x11a8 [0099.612] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsApps\\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\\microsoft.system.package.metadata\\*.*", lpFindFileData=0x9dcfd28) Thread: id = 698 os_tid = 0x11ac [0099.613] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*", lpFindFileData=0x9f0fd28 | out: lpFindFileData=0x9f0fd28) returned 0x2c9efc8 [0099.613] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.613] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x9f0fd28 | out: lpFindFileData=0x9f0fd28) returned 1 [0099.614] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.614] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.614] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x9f0fd28 | out: lpFindFileData=0x9f0fd28) returned 1 [0099.614] lstrcmpW (lpString1=".", lpString2="58.0.3029.110") returned -1 [0099.614] lstrcmpW (lpString1="..", lpString2="58.0.3029.110") returned -1 [0099.614] lstrcmpiW (lpString1="windows", lpString2="58.0.3029.110") returned 1 [0099.614] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0099.614] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned 56 [0099.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\", lpString2="58.0.3029.110" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110" [0099.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*" [0099.614] GlobalMemoryStatus (in: lpBuffer=0x9f0fd08 | out: lpBuffer=0x9f0fd08) [0099.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21752250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x630 [0099.615] CloseHandle (hObject=0x630) returned 1 [0099.616] FindNextFileW (in: hFindFile=0x2c9efc8, lpFindFileData=0x9f0fd28 | out: lpFindFileData=0x9f0fd28) returned 1 [0099.616] lstrcpyW (in: lpString1=0x21b632e0, lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0099.616] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned 56 [0099.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\How To Restore Files.hta" [0099.616] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\how to restore files.hta")) returned 0xffffffff [0099.617] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 699 os_tid = 0x11b0 [0099.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*", lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 0x2c9f1c8 [0099.640] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.640] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 1 [0099.640] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.640] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.640] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 1 [0099.640] lstrcmpW (lpString1=".", lpString2="v3.0") returned -1 [0099.640] lstrcmpW (lpString1="..", lpString2="v3.0") returned -1 [0099.641] lstrcmpiW (lpString1="windows", lpString2="v3.0") returned 1 [0099.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0099.641] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned 76 [0099.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\", lpString2="v3.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0" [0099.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0099.641] GlobalMemoryStatus (in: lpBuffer=0x37ffd08 | out: lpBuffer=0x37ffd08) [0099.641] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8d39508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x634 [0099.642] CloseHandle (hObject=0x634) returned 1 [0099.642] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 1 [0099.642] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0099.642] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0099.642] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0099.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0099.642] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned 76 [0099.642] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5" [0099.643] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0099.643] GlobalMemoryStatus (in: lpBuffer=0x37ffd08 | out: lpBuffer=0x37ffd08) [0099.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8cb9360, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x634 [0099.643] CloseHandle (hObject=0x634) returned 1 [0099.644] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0x37ffd28 | out: lpFindFileData=0x37ffd28) returned 0 [0099.644] FindClose (in: hFindFile=0x2c9f1c8 | out: hFindFile=0x2c9f1c8) returned 1 Thread: id = 700 os_tid = 0x11b4 [0099.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*", lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 0x2c9ebc8 [0099.620] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.620] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 1 [0099.620] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.620] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.620] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 1 [0099.620] lstrcmpW (lpString1=".", lpString2="v3.0") returned -1 [0099.620] lstrcmpW (lpString1="..", lpString2="v3.0") returned -1 [0099.620] lstrcmpiW (lpString1="windows", lpString2="v3.0") returned 1 [0099.626] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0099.626] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned 71 [0099.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\", lpString2="v3.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0" [0099.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0099.626] GlobalMemoryStatus (in: lpBuffer=0x463fd08 | out: lpBuffer=0x463fd08) [0099.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21b6b2e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x634 [0099.627] CloseHandle (hObject=0x634) returned 1 [0099.627] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 1 [0099.627] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0099.628] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0099.628] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0099.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0099.633] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned 71 [0099.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5" [0099.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0099.633] GlobalMemoryStatus (in: lpBuffer=0x463fd08 | out: lpBuffer=0x463fd08) [0099.634] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x21b83350, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x634 [0099.635] CloseHandle (hObject=0x634) returned 1 [0099.635] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x463fd28 | out: lpFindFileData=0x463fd28) returned 0 [0099.635] FindClose (in: hFindFile=0x2c9ebc8 | out: hFindFile=0x2c9ebc8) returned 1 Thread: id = 701 os_tid = 0x11b8 [0099.636] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\*.*", lpFindFileData=0x38ffd28 | out: lpFindFileData=0x38ffd28) returned 0x2c9ebc8 [0099.637] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.637] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x38ffd28 | out: lpFindFileData=0x38ffd28) returned 1 [0099.637] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.637] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.637] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x38ffd28 | out: lpFindFileData=0x38ffd28) returned 0 [0099.637] FindClose (in: hFindFile=0x2c9ebc8 | out: hFindFile=0x2c9ebc8) returned 1 Thread: id = 702 os_tid = 0x11bc [0099.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\*.*", lpFindFileData=0x477fd28 | out: lpFindFileData=0x477fd28) returned 0x2c9ebc8 [0099.639] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.639] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x477fd28 | out: lpFindFileData=0x477fd28) returned 1 [0099.639] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.639] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0x477fd28 | out: lpFindFileData=0x477fd28) returned 0 [0099.639] FindClose (in: hFindFile=0x2c9ebc8 | out: hFindFile=0x2c9ebc8) returned 1 Thread: id = 703 os_tid = 0x11c0 [0099.645] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Adobe\\*.*", lpFindFileData=0x5e8fd28) Thread: id = 704 os_tid = 0x11c4 [0099.645] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Application Data\\*.*", lpFindFileData=0x5fcfd28) Thread: id = 705 os_tid = 0x11c8 [0099.646] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\CEF\\*.*", lpFindFileData=0x610fd28) Thread: id = 706 os_tid = 0x11cc [0099.646] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Comms\\*.*", lpFindFileData=0xa04fd28) Thread: id = 707 os_tid = 0x11d0 [0099.647] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Google\\*.*", lpFindFileData=0xa18fd28) Thread: id = 708 os_tid = 0x11d4 [0099.647] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\History\\*.*", lpFindFileData=0xa2cfd28) Thread: id = 709 os_tid = 0x11d8 [0099.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*.*", lpFindFileData=0xb1cfd28 | out: lpFindFileData=0xb1cfd28) returned 0x2c9ebc8 [0099.648] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.648] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0xb1cfd28 | out: lpFindFileData=0xb1cfd28) returned 1 [0099.648] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.648] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.648] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0xb1cfd28 | out: lpFindFileData=0xb1cfd28) returned 1 [0099.648] lstrcmpW (lpString1=".", lpString2="1.0.0.0") returned -1 [0099.648] lstrcmpW (lpString1="..", lpString2="1.0.0.0") returned -1 [0099.649] lstrcmpiW (lpString1="windows", lpString2="1.0.0.0") returned 1 [0099.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*.*" [0099.649] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*.*") returned 74 [0099.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\", lpString2="1.0.0.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0" [0099.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*" [0099.649] GlobalMemoryStatus (in: lpBuffer=0xb1cfd08 | out: lpBuffer=0xb1cfd08) [0099.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x8ca12f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x634 [0099.650] CloseHandle (hObject=0x634) returned 1 [0099.650] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0xb1cfd28 | out: lpFindFileData=0xb1cfd28) returned 0 [0099.650] FindClose (in: hFindFile=0x2c9ebc8 | out: hFindFile=0x2c9ebc8) returned 1 Thread: id = 710 os_tid = 0x11dc [0099.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\*.*", lpFindFileData=0xb94fd28 | out: lpFindFileData=0xb94fd28) returned 0x2c9f1c8 [0099.725] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.725] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0xb94fd28 | out: lpFindFileData=0xb94fd28) returned 1 [0099.725] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.725] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.725] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0xb94fd28 | out: lpFindFileData=0xb94fd28) returned 1 [0099.725] lstrcmpW (lpString1=".", lpString2="3.3.5") returned -1 [0099.725] lstrcmpW (lpString1="..", lpString2="3.3.5") returned -1 [0099.726] lstrcmpiW (lpString1="windows", lpString2="3.3.5") returned 1 [0099.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\*.*" [0099.726] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\*.*") returned 63 [0099.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\", lpString2="3.3.5" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5" [0099.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*.*" [0099.726] GlobalMemoryStatus (in: lpBuffer=0xb94fd08 | out: lpBuffer=0xb94fd08) [0099.726] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x11196fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x650 [0099.727] CloseHandle (hObject=0x650) returned 1 [0099.727] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0xb94fd28 | out: lpFindFileData=0xb94fd28) returned 0 [0099.727] FindClose (in: hFindFile=0x2c9f1c8 | out: hFindFile=0x2c9f1c8) returned 1 Thread: id = 711 os_tid = 0x11e0 [0099.655] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*", lpFindFileData=0xbbcfd28 | out: lpFindFileData=0xbbcfd28) returned 0x2c9f1c8 [0099.729] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.729] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0xbbcfd28 | out: lpFindFileData=0xbbcfd28) returned 1 [0099.729] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.729] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.729] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0xbbcfd28 | out: lpFindFileData=0xbbcfd28) returned 1 [0099.729] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0099.729] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0099.729] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0099.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" [0099.729] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned 70 [0099.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US" [0099.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\en-US\\*.*" [0099.729] GlobalMemoryStatus (in: lpBuffer=0xbbcfd08 | out: lpBuffer=0xbbcfd08) [0099.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x217ca408, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x648 [0099.730] CloseHandle (hObject=0x648) returned 1 [0099.730] FindNextFileW (in: hFindFile=0x2c9f1c8, lpFindFileData=0xbbcfd28 | out: lpFindFileData=0xbbcfd28) returned 1 [0099.735] lstrcpyW (in: lpString1=0x21b9b3b8, lpString2="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*" [0099.735] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*.*") returned 70 [0099.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\How To Restore Files.hta" [0099.735] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\how to restore files.hta")) returned 0xffffffff [0099.735] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\How To Restore Files.hta" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 712 os_tid = 0x11e4 [0099.656] FindFirstFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*", lpFindFileData=0x638fd28) Thread: id = 713 os_tid = 0x11e8 [0099.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*", lpFindFileData=0xbd0fd28 | out: lpFindFileData=0xbd0fd28) returned 0x2c9f188 [0099.709] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.709] FindNextFileW (in: hFindFile=0x2c9f188, lpFindFileData=0xbd0fd28 | out: lpFindFileData=0xbd0fd28) returned 1 [0099.727] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.727] FindNextFileW (in: hFindFile=0x2c9f188, lpFindFileData=0xbd0fd28 | out: lpFindFileData=0xbd0fd28) returned 1 [0099.727] lstrcpyW (in: lpString1=0x1106ea80, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0099.727] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0099.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\How To Restore Files.hta" [0099.728] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\How To Restore Files.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\how to restore files.hta")) returned 0xffffffff [0099.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\How To Restore Files.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 714 os_tid = 0x11ec [0099.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\*.*", lpFindFileData=0xbf8fd28 | out: lpFindFileData=0xbf8fd28) returned 0x2c9ebc8 [0099.657] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.658] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0xbf8fd28 | out: lpFindFileData=0xbf8fd28) returned 1 [0099.658] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.658] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.658] FindNextFileW (in: hFindFile=0x2c9ebc8, lpFindFileData=0xbf8fd28 | out: lpFindFileData=0xbf8fd28) returned 1 [0099.658] lstrcpyW (in: lpString1=0x217b23f0, lpString2="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\*.*" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\*.*") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\*.*" [0099.658] lstrlenW (lpString="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\*.*") returned 68 [0099.658] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\How To Restore Files.hta" [0099.658] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\skwq hceu5\\00vou0ewpyblcrlhdi\\how to restore files.hta")) returned 0xffffffff [0099.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\CIiHmnxMn6Ps\\Pictures\\SKWQ hcEu5\\00VOU0EWPYblCrlHdi\\How To Restore Files.hta" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\skwq hceu5\\00vou0ewpyblcrlhdi\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 715 os_tid = 0x11f0 [0099.659] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*", lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 0x2c9ed88 [0099.660] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.660] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 1 [0099.660] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.660] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.660] FindNextFileW (in: hFindFile=0x2c9ed88, lpFindFileData=0x6b4fd28 | out: lpFindFileData=0x6b4fd28) returned 1 [0099.660] lstrcpyW (in: lpString1=0x217ba3f8, lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0099.660] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned 75 [0099.660] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\How To Restore Files.hta" [0099.660] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\How To Restore Files.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\how to restore files.hta")) returned 0xffffffff [0099.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\How To Restore Files.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 716 os_tid = 0x11f4 [0099.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*", lpFindFileData=0xc0cfd28 | out: lpFindFileData=0xc0cfd28) returned 0x2c9edc8 [0099.661] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.662] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0xc0cfd28 | out: lpFindFileData=0xc0cfd28) returned 1 [0099.662] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.662] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.662] FindNextFileW (in: hFindFile=0x2c9edc8, lpFindFileData=0xc0cfd28 | out: lpFindFileData=0xc0cfd28) returned 1 [0099.662] lstrcpyW (in: lpString1=0x217c2400, lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0099.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 75 [0099.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\How To Restore Files.hta" [0099.662] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\How To Restore Files.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\how to restore files.hta")) returned 0xffffffff [0099.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\How To Restore Files.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 717 os_tid = 0x11f8 [0099.663] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*.*", lpFindFileData=0x6f0fd28 | out: lpFindFileData=0x6f0fd28) returned 0xffffffff Thread: id = 718 os_tid = 0x11fc [0099.663] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*.*", lpFindFileData=0x704fd28 | out: lpFindFileData=0x704fd28) returned 0xffffffff Thread: id = 719 os_tid = 0x1200 [0099.664] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*", lpFindFileData=0x718fd28) Thread: id = 720 os_tid = 0x1204 [0099.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*", lpFindFileData=0x918fd28 | out: lpFindFileData=0x918fd28) returned 0x10805908 [0101.149] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.149] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x918fd28 | out: lpFindFileData=0x918fd28) returned 1 [0101.149] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0101.149] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.149] FindNextFileW (in: hFindFile=0x10805908, lpFindFileData=0x918fd28 | out: lpFindFileData=0x918fd28) returned 0 [0101.149] FindClose (in: hFindFile=0x10805908 | out: hFindFile=0x10805908) returned 1 Thread: id = 721 os_tid = 0x1208 [0099.665] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*.*", lpFindFileData=0xcf8fd28) Thread: id = 722 os_tid = 0x120c [0099.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*", lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 0x2c9eec8 [0099.716] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.716] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0099.716] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.716] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.716] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0099.717] lstrcmpW (lpString1=".", lpString2="en") returned -1 [0099.717] lstrcmpW (lpString1="..", lpString2="en") returned -1 [0099.717] lstrcmpiW (lpString1="windows", lpString2="en") returned 1 [0099.717] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*" [0099.717] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*") returned 76 [0099.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\", lpString2="en" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\en") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\en" [0099.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\en", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\en\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\en\\*.*" [0099.717] GlobalMemoryStatus (in: lpBuffer=0xb34fd08 | out: lpBuffer=0xb34fd08) [0099.717] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014b8, lpParameter=0x106e05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0099.718] CloseHandle (hObject=0x644) returned 1 [0099.718] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0xb34fd28 | out: lpFindFileData=0xb34fd28) returned 1 [0099.718] lstrcpyW (in: lpString1=0x1105ea70, lpString2="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*" [0099.718] lstrlenW (lpString="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\*.*") returned 76 [0099.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\How To Restore Files.hta") returned="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\How To Restore Files.hta" [0099.718] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\How To Restore Files.hta" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.0\\how to restore files.hta")) returned 0xffffffff [0099.718] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.0\\How To Restore Files.hta" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.0\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 723 os_tid = 0x1210 [0099.699] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*", lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 0x2c9eec8 [0099.700] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.700] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0099.700] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.700] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0099.700] lstrcpyW (in: lpString1=0x11196fb8, lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*" [0099.701] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned 56 [0099.701] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta" [0099.701] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\how to restore files.hta")) returned 0x1 [0099.701] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="17dfc292991c7c24.timestamp id-Br3n0G72wUb8CejT.LyaS") returned 1 [0099.701] lstrlenW (lpString="17dfc292991c7c24.timestamp id-Br3n0G72wUb8CejT.LyaS") returned 51 [0099.701] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0099.701] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 1 [0099.701] lstrcpyW (in: lpString1=0x11196fb8, lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*" [0099.701] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*") returned 56 [0099.701] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta" [0099.701] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\how to restore files.hta")) returned 0x1 [0099.701] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0099.702] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0x790fd28 | out: lpFindFileData=0x790fd28) returned 0 [0099.702] FindClose (in: hFindFile=0x2c9eec8 | out: hFindFile=0x2c9eec8) returned 1 Thread: id = 724 os_tid = 0x1214 [0099.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*", lpFindFileData=0xd24fd28 | out: lpFindFileData=0xd24fd28) returned 0x2c9eec8 [0099.703] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.703] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0xd24fd28 | out: lpFindFileData=0xd24fd28) returned 1 [0099.703] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.703] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.703] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0xd24fd28 | out: lpFindFileData=0xd24fd28) returned 1 [0099.703] lstrcpyW (in: lpString1=0x1105ea70, lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*" [0099.703] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned 55 [0099.703] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta" [0099.703] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\how to restore files.hta")) returned 0x1 [0099.704] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="baseimagefam8 id-Br3n0G72wUb8CejT.LyaS") returned 1 [0099.704] lstrlenW (lpString="baseimagefam8 id-Br3n0G72wUb8CejT.LyaS") returned 38 [0099.704] lstrcmpiW (lpString1=".LyaS", lpString2=".LyaS") returned 0 [0099.704] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0xd24fd28 | out: lpFindFileData=0xd24fd28) returned 1 [0099.704] lstrcpyW (in: lpString1=0x1105ea70, lpString2="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*" [0099.704] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned 55 [0099.704] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta" [0099.704] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\how to restore files.hta")) returned 0x1 [0099.704] lstrcmpiW (lpString1="How To Restore Files.hta", lpString2="How To Restore Files.hta") returned 0 [0099.704] FindNextFileW (in: hFindFile=0x2c9eec8, lpFindFileData=0xd24fd28 | out: lpFindFileData=0xd24fd28) returned 0 [0099.704] FindClose (in: hFindFile=0x2c9eec8 | out: hFindFile=0x2c9eec8) returned 1 Thread: id = 725 os_tid = 0x1218 [0099.705] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\*.*", lpFindFileData=0xe00fd28) Thread: id = 726 os_tid = 0x121c [0099.706] FindFirstFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_5923062\\*.*", lpFindFileData=0xe64fd28) Thread: id = 727 os_tid = 0x1220 [0099.706] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpFindFileData=0xf18fd28 | out: lpFindFileData=0xf18fd28) returned 0x2c9f248 [0099.743] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.743] FindNextFileW (in: hFindFile=0x2c9f248, lpFindFileData=0xf18fd28 | out: lpFindFileData=0xf18fd28) returned 1 [0099.743] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.743] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.743] FindNextFileW (in: hFindFile=0x2c9f248, lpFindFileData=0xf18fd28 | out: lpFindFileData=0xf18fd28) returned 1 [0099.748] lstrcpyW (in: lpString1=0x21bab3c8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*" [0099.748] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned 88 [0099.748] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\How To Restore Files.hta" [0099.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\how to restore files.hta")) returned 0xffffffff [0099.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 728 os_tid = 0x1224 [0099.707] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpFindFileData=0xf2cfd28 | out: lpFindFileData=0xf2cfd28) returned 0x2c9f208 [0099.737] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.737] FindNextFileW (in: hFindFile=0x2c9f208, lpFindFileData=0xf2cfd28 | out: lpFindFileData=0xf2cfd28) returned 1 [0099.737] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.737] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.737] FindNextFileW (in: hFindFile=0x2c9f208, lpFindFileData=0xf2cfd28 | out: lpFindFileData=0xf2cfd28) returned 1 [0099.742] lstrcpyW (in: lpString1=0x21ba33c0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*" [0099.742] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned 88 [0099.742] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\How To Restore Files.hta" [0099.742] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\how to restore files.hta")) returned 0xffffffff [0099.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 729 os_tid = 0x1228 [0099.712] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpFindFileData=0xf40fd28 | out: lpFindFileData=0xf40fd28) returned 0x5c9310 [0099.755] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.755] FindNextFileW (in: hFindFile=0x5c9310, lpFindFileData=0xf40fd28 | out: lpFindFileData=0xf40fd28) returned 1 [0099.755] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.755] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.755] FindNextFileW (in: hFindFile=0x5c9310, lpFindFileData=0xf40fd28 | out: lpFindFileData=0xf40fd28) returned 1 [0099.759] lstrcpyW (in: lpString1=0x21bbb3d8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*" [0099.759] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned 88 [0099.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\How To Restore Files.hta" [0099.759] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\how to restore files.hta")) returned 0xffffffff [0099.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 730 os_tid = 0x122c [0099.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpFindFileData=0x1189fd28 | out: lpFindFileData=0x1189fd28) returned 0x5c9250 [0099.751] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.751] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1189fd28 | out: lpFindFileData=0x1189fd28) returned 1 [0099.751] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.751] FindNextFileW (in: hFindFile=0x5c9250, lpFindFileData=0x1189fd28 | out: lpFindFileData=0x1189fd28) returned 1 [0099.754] lstrcpyW (in: lpString1=0x21bb33d0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*" [0099.754] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned 88 [0099.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\How To Restore Files.hta" [0099.754] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\how to restore files.hta")) returned 0xffffffff [0099.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 731 os_tid = 0x1230 [0099.715] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpFindFileData=0x119dfd28 | out: lpFindFileData=0x119dfd28) returned 0x5c8d10 [0099.766] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.766] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x119dfd28 | out: lpFindFileData=0x119dfd28) returned 1 [0099.766] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.766] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.766] FindNextFileW (in: hFindFile=0x5c8d10, lpFindFileData=0x119dfd28 | out: lpFindFileData=0x119dfd28) returned 1 [0099.766] lstrcpyW (in: lpString1=0x21bcb3e8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*" [0099.766] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned 88 [0099.766] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\How To Restore Files.hta" [0099.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\how to restore files.hta")) returned 0xffffffff [0099.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 732 os_tid = 0x1234 [0099.719] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpFindFileData=0x1255fd28 | out: lpFindFileData=0x1255fd28) returned 0x5c9450 [0099.761] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.761] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x1255fd28 | out: lpFindFileData=0x1255fd28) returned 1 [0099.761] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0099.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.761] FindNextFileW (in: hFindFile=0x5c9450, lpFindFileData=0x1255fd28 | out: lpFindFileData=0x1255fd28) returned 1 [0099.764] lstrcpyW (in: lpString1=0x21bc33e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*" [0099.764] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned 88 [0099.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\", lpString2="How To Restore Files.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\How To Restore Files.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\How To Restore Files.hta" [0099.765] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\how to restore files.hta")) returned 0xffffffff [0099.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\How To Restore Files.hta" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\how to restore files.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6e7ba000" os_pid = "0xcc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfd8" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /c vssadmin delete shadows /all" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 514 start_va = 0x70000 end_va = 0xbffff entry_point = 0x70000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 515 start_va = 0xc0000 end_va = 0x40bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 516 start_va = 0x40c0000 end_va = 0x40dffff entry_point = 0x0 region_type = private name = "private_0x00000000040c0000" filename = "" Region: id = 517 start_va = 0x40e0000 end_va = 0x40e1fff entry_point = 0x0 region_type = private name = "private_0x00000000040e0000" filename = "" Region: id = 518 start_va = 0x40f0000 end_va = 0x4103fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000040f0000" filename = "" Region: id = 519 start_va = 0x4110000 end_va = 0x414ffff entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 520 start_va = 0x4150000 end_va = 0x424ffff entry_point = 0x0 region_type = private name = "private_0x0000000004150000" filename = "" Region: id = 521 start_va = 0x4250000 end_va = 0x4253fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004250000" filename = "" Region: id = 522 start_va = 0x4260000 end_va = 0x4260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004260000" filename = "" Region: id = 523 start_va = 0x4270000 end_va = 0x4271fff entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 524 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 525 start_va = 0x7f320000 end_va = 0x7f342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f320000" filename = "" Region: id = 526 start_va = 0x7f344000 end_va = 0x7f344fff entry_point = 0x0 region_type = private name = "private_0x000000007f344000" filename = "" Region: id = 527 start_va = 0x7f34b000 end_va = 0x7f34bfff entry_point = 0x0 region_type = private name = "private_0x000000007f34b000" filename = "" Region: id = 528 start_va = 0x7f34d000 end_va = 0x7f34ffff entry_point = 0x0 region_type = private name = "private_0x000000007f34d000" filename = "" Region: id = 529 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 530 start_va = 0x7fff0000 end_va = 0x7dfc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 531 start_va = 0x7dfc57b50000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfc57b50000" filename = "" Region: id = 532 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 533 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 572 start_va = 0x42b0000 end_va = 0x42bffff entry_point = 0x0 region_type = private name = "private_0x00000000042b0000" filename = "" Region: id = 573 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 574 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 575 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1641 start_va = 0x40c0000 end_va = 0x40cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000040c0000" filename = "" Region: id = 1642 start_va = 0x42c0000 end_va = 0x437dfff entry_point = 0x42c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1643 start_va = 0x4380000 end_va = 0x43bffff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 1644 start_va = 0x43f0000 end_va = 0x44effff entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 1645 start_va = 0x44f0000 end_va = 0x45effff entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 1646 start_va = 0x4780000 end_va = 0x478ffff entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 1647 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1648 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1649 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1650 start_va = 0x7f220000 end_va = 0x7f31ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f220000" filename = "" Region: id = 1651 start_va = 0x7f348000 end_va = 0x7f34afff entry_point = 0x0 region_type = private name = "private_0x000000007f348000" filename = "" Region: id = 1652 start_va = 0x40d0000 end_va = 0x40d3fff entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Thread: id = 9 os_tid = 0xcd4 [0089.541] GetModuleHandleA (lpModuleName=0x0) returned 0x70000 [0089.541] __set_app_type (_Type=0x1) [0089.541] __p__fmode () returned 0x76fd4d6c [0089.541] __p__commode () returned 0x76fd5b1c [0089.541] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x836e0) returned 0x0 [0089.541] __getmainargs (in: _Argc=0x950e8, _Argv=0x950ec, _Env=0x950f0, _DoWildCard=0, _StartInfo=0x950fc | out: _Argc=0x950e8, _Argv=0x950ec, _Env=0x950f0) returned 0 [0089.541] GetCurrentThreadId () returned 0xcd4 [0089.541] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcd4) returned 0x84 [0089.542] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f40000 [0089.542] GetProcAddress (hModule=0x74f40000, lpProcName="SetThreadUILanguage") returned 0x74f82780 [0089.542] SetThreadUILanguage (LangId=0x0) returned 0x409 [0090.078] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0090.078] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x424fb34 | out: phkResult=0x424fb34*=0x0) returned 0x2 [0090.078] VirtualQuery (in: lpAddress=0x424fb3b, lpBuffer=0x424faec, dwLength=0x1c | out: lpBuffer=0x424faec*(BaseAddress=0x424f000, AllocationBase=0x4150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.078] VirtualQuery (in: lpAddress=0x4150000, lpBuffer=0x424faec, dwLength=0x1c | out: lpBuffer=0x424faec*(BaseAddress=0x4150000, AllocationBase=0x4150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0090.078] VirtualQuery (in: lpAddress=0x4151000, lpBuffer=0x424faec, dwLength=0x1c | out: lpBuffer=0x424faec*(BaseAddress=0x4151000, AllocationBase=0x4150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0090.078] VirtualQuery (in: lpAddress=0x4153000, lpBuffer=0x424faec, dwLength=0x1c | out: lpBuffer=0x424faec*(BaseAddress=0x4153000, AllocationBase=0x4150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.078] VirtualQuery (in: lpAddress=0x4250000, lpBuffer=0x424faec, dwLength=0x1c | out: lpBuffer=0x424faec*(BaseAddress=0x4250000, AllocationBase=0x4250000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0090.078] GetConsoleOutputCP () returned 0x1b5 [0090.410] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9e460 | out: lpCPInfo=0x9e460) returned 1 [0090.410] SetConsoleCtrlHandler (HandlerRoutine=0x8f980, Add=1) returned 1 [0090.410] _get_osfhandle (_FileHandle=1) returned 0x3c [0090.411] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0093.144] _get_osfhandle (_FileHandle=1) returned 0x3c [0093.144] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x9e40c | out: lpMode=0x9e40c) returned 1 [0094.320] _get_osfhandle (_FileHandle=1) returned 0x3c [0094.320] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x3) returned 1 [0096.267] _get_osfhandle (_FileHandle=0) returned 0x38 [0096.267] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x9e408 | out: lpMode=0x9e408) returned 1 [0096.792] _get_osfhandle (_FileHandle=0) returned 0x38 [0096.793] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1e7) Thread: id = 283 os_tid = 0xc78 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x29695000" os_pid = "0xd74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xcc0" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 585 start_va = 0x7f6ff000 end_va = 0x7f6fffff entry_point = 0x0 region_type = private name = "private_0x000000007f6ff000" filename = "" Region: id = 586 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 587 start_va = 0x5d03050000 end_va = 0x5d0306ffff entry_point = 0x0 region_type = private name = "private_0x0000005d03050000" filename = "" Region: id = 588 start_va = 0x5d03070000 end_va = 0x5d03083fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d03070000" filename = "" Region: id = 589 start_va = 0x5d03090000 end_va = 0x5d030cffff entry_point = 0x0 region_type = private name = "private_0x0000005d03090000" filename = "" Region: id = 590 start_va = 0x7df5ff320000 end_va = 0x7ff5ff31ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff320000" filename = "" Region: id = 591 start_va = 0x7ff7d5f80000 end_va = 0x7ff7d5fa2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7d5f80000" filename = "" Region: id = 592 start_va = 0x7ff7d5fab000 end_va = 0x7ff7d5fabfff entry_point = 0x0 region_type = private name = "private_0x00007ff7d5fab000" filename = "" Region: id = 593 start_va = 0x7ff7d5fae000 end_va = 0x7ff7d5faffff entry_point = 0x0 region_type = private name = "private_0x00007ff7d5fae000" filename = "" Region: id = 594 start_va = 0x7ff7d6b10000 end_va = 0x7ff7d6b20fff entry_point = 0x7ff7d6b10000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 595 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 793 start_va = 0x5d03170000 end_va = 0x5d0326ffff entry_point = 0x0 region_type = private name = "private_0x0000005d03170000" filename = "" Region: id = 794 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 795 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 826 start_va = 0x5d03050000 end_va = 0x5d0305ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d03050000" filename = "" Region: id = 827 start_va = 0x5d030d0000 end_va = 0x5d0310ffff entry_point = 0x0 region_type = private name = "private_0x0000005d030d0000" filename = "" Region: id = 828 start_va = 0x5d03270000 end_va = 0x5d0332dfff entry_point = 0x5d03270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 829 start_va = 0x7ff7d5e80000 end_va = 0x7ff7d5f7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7d5e80000" filename = "" Region: id = 830 start_va = 0x7ff7d5fac000 end_va = 0x7ff7d5fadfff entry_point = 0x0 region_type = private name = "private_0x00007ff7d5fac000" filename = "" Region: id = 831 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 832 start_va = 0x5d03060000 end_va = 0x5d03066fff entry_point = 0x0 region_type = private name = "private_0x0000005d03060000" filename = "" Region: id = 833 start_va = 0x5d03110000 end_va = 0x5d03110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d03110000" filename = "" Region: id = 834 start_va = 0x5d03120000 end_va = 0x5d03126fff entry_point = 0x0 region_type = private name = "private_0x0000005d03120000" filename = "" Region: id = 835 start_va = 0x5d03410000 end_va = 0x5d0341ffff entry_point = 0x0 region_type = private name = "private_0x0000005d03410000" filename = "" Region: id = 836 start_va = 0x7ffc4d3d0000 end_va = 0x7ffc4d422fff entry_point = 0x7ffc4d3d0000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 837 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 838 start_va = 0x7ffc55280000 end_va = 0x7ffc552b5fff entry_point = 0x7ffc55280000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 839 start_va = 0x7ffc55380000 end_va = 0x7ffc554dbfff entry_point = 0x7ffc55380000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 840 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 841 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 842 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 843 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 844 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 845 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 846 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 853 start_va = 0x5d03130000 end_va = 0x5d03130fff entry_point = 0x0 region_type = private name = "private_0x0000005d03130000" filename = "" Region: id = 854 start_va = 0x5d03140000 end_va = 0x5d03140fff entry_point = 0x0 region_type = private name = "private_0x0000005d03140000" filename = "" Region: id = 855 start_va = 0x5d03330000 end_va = 0x5d0336ffff entry_point = 0x0 region_type = private name = "private_0x0000005d03330000" filename = "" Region: id = 856 start_va = 0x5d033d0000 end_va = 0x5d033dffff entry_point = 0x0 region_type = private name = "private_0x0000005d033d0000" filename = "" Region: id = 857 start_va = 0x5d03420000 end_va = 0x5d035a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d03420000" filename = "" Region: id = 858 start_va = 0x5d035b0000 end_va = 0x5d03730fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d035b0000" filename = "" Region: id = 859 start_va = 0x5d03740000 end_va = 0x5d04b3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d03740000" filename = "" Region: id = 860 start_va = 0x7ff7d5fa9000 end_va = 0x7ff7d5faafff entry_point = 0x0 region_type = private name = "private_0x00007ff7d5fa9000" filename = "" Region: id = 861 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 862 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 863 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 864 start_va = 0x7ffc54670000 end_va = 0x7ffc54c97fff entry_point = 0x7ffc54670000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 865 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 866 start_va = 0x7ffc559d0000 end_va = 0x7ffc56ef4fff entry_point = 0x7ffc559d0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 867 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 868 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 891 start_va = 0x7ffc52d70000 end_va = 0x7ffc52e05fff entry_point = 0x7ffc52d70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1066 start_va = 0x5d03090000 end_va = 0x5d030cffff entry_point = 0x0 region_type = private name = "private_0x0000005d03090000" filename = "" Region: id = 1067 start_va = 0x5d03150000 end_va = 0x5d03153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d03150000" filename = "" Region: id = 1068 start_va = 0x5d04b40000 end_va = 0x5d04c4dfff entry_point = 0x0 region_type = private name = "private_0x0000005d04b40000" filename = "" Region: id = 1069 start_va = 0x5d04c50000 end_va = 0x5d04d07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d04c50000" filename = "" Region: id = 1070 start_va = 0x5d04d20000 end_va = 0x5d04d2ffff entry_point = 0x0 region_type = private name = "private_0x0000005d04d20000" filename = "" Region: id = 1071 start_va = 0x5d04d30000 end_va = 0x5d05066fff entry_point = 0x5d04d30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1072 start_va = 0x5d05070000 end_va = 0x5d05286fff entry_point = 0x0 region_type = private name = "private_0x0000005d05070000" filename = "" Region: id = 1073 start_va = 0x5d05290000 end_va = 0x5d054acfff entry_point = 0x0 region_type = private name = "private_0x0000005d05290000" filename = "" Region: id = 1074 start_va = 0x5d054b0000 end_va = 0x5d056ccfff entry_point = 0x0 region_type = private name = "private_0x0000005d054b0000" filename = "" Region: id = 1075 start_va = 0x5d056d0000 end_va = 0x5d057e2fff entry_point = 0x0 region_type = private name = "private_0x0000005d056d0000" filename = "" Region: id = 1076 start_va = 0x7ff7d5fae000 end_va = 0x7ff7d5faffff entry_point = 0x0 region_type = private name = "private_0x00007ff7d5fae000" filename = "" Region: id = 1077 start_va = 0x7ffc525f0000 end_va = 0x7ffc52611fff entry_point = 0x7ffc525f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1078 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1079 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1086 start_va = 0x5d03160000 end_va = 0x5d03166fff entry_point = 0x0 region_type = private name = "private_0x0000005d03160000" filename = "" Region: id = 1087 start_va = 0x5d03370000 end_va = 0x5d03374fff entry_point = 0x5d03370000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1088 start_va = 0x5d03380000 end_va = 0x5d03380fff entry_point = 0x5d03380000 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1089 start_va = 0x5d03390000 end_va = 0x5d03391fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d03390000" filename = "" Region: id = 1090 start_va = 0x7ffc4cbd0000 end_va = 0x7ffc4ce43fff entry_point = 0x7ffc4cbd0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Thread: id = 14 os_tid = 0xd70 Thread: id = 66 os_tid = 0xe24 Thread: id = 67 os_tid = 0xe08 Thread: id = 101 os_tid = 0x204